Multple WHERE's in a single DELETE

[ldb358]

what i need to do is delete a single entry from a table but i need to get the exact message that need to be deleted to do this i want to delete the row with the subject, sender and reciver( its a automated friend request always the same) heres what i have come up with:

mysql_query("DELETE * FROM messages WHERE sendto='$username2' AND WHERE sentfrom='$username' AND WHERE subject='$subject'") or die(mysql_error());

this generates this error:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '* FROM messages WHERE sendto='lane3' AND WHERE sentfrom='lane' AND WHERE subject' at line 1

 

[Maq]

Remove the *.

[roopurt18]

Unless I'm mistaken you can only have one WHERE in your query.

 

mysql_query("DELETE FROM messages WHERE sendto='$username2' AND sentfrom='$username' AND subject='$subject'") or die(mysql_error());

 

I hope you called mysql_real_escape_string() on $username2, $username, and $subject.

 

Otherwise you're going to have a heck of a time when I tell your site to delete the message with subject:

'; delete from users where 1=1 -- '

[ldb358]

hmm i think you may be right i removed the * but I'm still getting the same error any ideas on how to compare it to multiple columns

[ldb358]

and about the mysql escape string the input isnt user input it made by the script in order to delete a friend request after it is accepted

[Maq]

hmm i think you may be right i removed the * but I'm still getting the same error any ideas on how to compare it to multiple columns

 

If you've implemented roopurt's comment, can you post your current query?

[ldb358]

I don't know how to get rid of multiple Where's that the problem I'm at now, finding an alternative

[ldb358]

Okay thanks everyone i got it all i had to do was get rid of the where's and the * i didnt need to add anything

[Maq]

Okay thanks everyone i got it all i had to do was get rid of the where's and the * i didnt need to add anything

 

Good.  There are also examples in the MySQL manual: http://dev.mysql.com/doc/refman/5.0/en/delete.html.

[roopurt18]

and about the mysql escape string the input isnt user input it made by the script in order to delete a friend request after it is accepted

 

You should mysql_real_escape_string() the inputs anyways.  It's best to assume everything is faulty and / or compromised in terms of security.  Any variables going into a query should be escaped, regardless of what populated the variables.  Likewise any data coming out of the database for display in a web browser should have striptags() or htmlentities() called on it, regardless of how you think the data was put into the database in the first place.

 

If your site someday has a problem and you fail to do these things, then you just have more possibilities to chase down on how your site became compromised.

 

If, on the other hand, you know that 100% of the time you use mysql_real_esape_string(), then you know your site was probably not attacked with SQL injection.  Now you have less things to think about in terms of "How did my site get attacked?"