Jump to content

Multple WHERE's in a single DELETE

ldb358

By ldb358
in MySQL Help

 Share

Recommended Posts

ldb358 Member

ldb358

Posted
Posted

what i need to do is delete a single entry from a table but i need to get the exact message that need to be deleted to do this i want to delete the row with the subject, sender and reciver( its a automated friend request always the same) heres what i have come up with:

mysql_query("DELETE * FROM messages WHERE sendto='$username2' AND WHERE sentfrom='$username' AND WHERE subject='$subject'") or die(mysql_error());

this generates this error:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '* FROM messages WHERE sendto='lane3' AND WHERE sentfrom='lane' AND WHERE subject' at line 1

 

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

Unless I'm mistaken you can only have one WHERE in your query.

 

mysql_query("DELETE FROM messages WHERE sendto='$username2' AND sentfrom='$username' AND subject='$subject'") or die(mysql_error());

 

I hope you called mysql_real_escape_string() on $username2, $username, and $subject.

 

Otherwise you're going to have a heck of a time when I tell your site to delete the message with subject:

'; delete from users where 1=1 -- '

Link to comment
Share on other sites
Maq Prolific Member

Maq

Posted
Posted

hmm i think you may be right i removed the * but I'm still getting the same error any ideas on how to compare it to multiple columns

 

If you've implemented roopurt's comment, can you post your current query?

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

and about the mysql escape string the input isnt user input it made by the script in order to delete a friend request after it is accepted

 

You should mysql_real_escape_string() the inputs anyways.  It's best to assume everything is faulty and / or compromised in terms of security.  Any variables going into a query should be escaped, regardless of what populated the variables.  Likewise any data coming out of the database for display in a web browser should have striptags() or htmlentities() called on it, regardless of how you think the data was put into the database in the first place.

 

If your site someday has a problem and you fail to do these things, then you just have more possibilities to chase down on how your site became compromised.

 

If, on the other hand, you know that 100% of the time you use mysql_real_esape_string(), then you know your site was probably not attacked with SQL injection.  Now you have less things to think about in terms of "How did my site get attacked?"

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.