Akenatehm Posted November 26, 2008 Share Posted November 26, 2008 Hey guys, somethings wrong with this syntax, I was just trying and experimenting. I am sure it won't be something big thats wrong with it. Here it is: <?php include "connect.php"; if(isset($_POST['submit'])) { $username=$_POST['username']; $email=$_POST['email']; if(strlen($username)<1) { print "You did not enter a username."; } else { $delete="DELETE FROM users WHERE username = '$username' OR 1=1 OR email = $email"; mysql_query($delete) or die("Could not delete user" . mysql_error()); echo "User Deleted. <A href''<a href=\"home.html\">Click here</a> To Go Home."; } } ?> Quote Link to comment Share on other sites More sharing options...
ShiloVir Posted November 26, 2008 Share Posted November 26, 2008 $delete="DELETE FROM users WHERE username = '$username' OR 1=1 OR email = $email"; to... $delete="DELETE FROM `users` WHERE 'username' = $username OR 'email' = $email"; Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted November 26, 2008 Share Posted November 26, 2008 DELETE FROM users WHERE username = '$username' OR 1=1 OR email = $email ^ deletes all users..... use DELETE FROM users WHERE username = '$username' OR email = '$email' (also note the added quotes around the email) and you should really cleanse input with mysql_real_escape_string() or something similar Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 26, 2008 Author Share Posted November 26, 2008 What is cleansing input? Quote Link to comment Share on other sites More sharing options...
ShiloVir Posted November 26, 2008 Share Posted November 26, 2008 It means if someone sneaks a "'" into your textbox, then they can write there own SQL query that could drop, delete, or read your database. Its called SQL Injection and you might want to make your scripts more secure before you get too far into your coding that it would take hours and many errors to get your code secure. Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted November 26, 2008 Share Posted November 26, 2008 http://www.phpfreaks.com/tutorial/php-security/page3 Quote Link to comment Share on other sites More sharing options...
ShiloVir Posted November 26, 2008 Share Posted November 26, 2008 I really do love this: Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 26, 2008 Author Share Posted November 26, 2008 Lol ok. Thanks. Could you maybe help me with the Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted November 26, 2008 Share Posted November 26, 2008 [quote] Lol ok. Thanks. Could you maybe help me with the Sure, no problem. I would be happy to help you with anything you Quote Link to comment Share on other sites More sharing options...
ShiloVir Posted November 26, 2008 Share Posted November 26, 2008 [quote] Lol ok. Thanks. Could you maybe help me with the Sure, no problem. I would be happy to help you with anything you haha. thats Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 26, 2008 Author Share Posted November 26, 2008 Lol sorry about that. What I meant to say was, could you please help me with the correct syntax by applying it to this Delete Script so that I can learn by adapting it to my other scripts. Quote Link to comment Share on other sites More sharing options...
ShiloVir Posted November 26, 2008 Share Posted November 26, 2008 <?php $delete="DELETE FROM `users` WHERE 'username' = ".mysql_real_escape_string($username)." OR 'email' = ".mysql_real_escape_string($email).""; ?> That should work. Quote Link to comment Share on other sites More sharing options...
Akenatehm Posted November 27, 2008 Author Share Posted November 27, 2008 Ok, thanks heaps. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.