Jump to content

How does this little script look?


Reaper0167

Recommended Posts

Is there anything else that I should have, security I mean?

 

<?php
session_start();

if( (isset($_SESSION['who'])) || (isset($_SESSION['auth'])) )
{
  include 'connection.php';
  $delete_this = $_GET['delete_id'];
  $got_you = $_SESSION['who'];
  $result = mysql_query("SELECT * FROM my_table WHERE id = '$delete_this' ");
  while ($row = mysql_fetch_array($result))	
  {
   $server_pic = $row['imgpath'];
   $server_file = $row['track_loc'];
  }
  unlink($server_pic);  //removes picture from server
  unlink($server_file);  //removes file from server
  mysql_query("DELETE FROM my_table WHERE id='$delete_this'");  //remove track info from db
  mysql_query("DELETE FROM my_table2 WHERE track_id = '$delete_this'");  //remove track comments from db
  mysql_query("DELETE FROM my_table3 WHERE track_id = '$delete_this'");  //remove best lap time info from db

  mysql_close();
  header("location:my_page.php");
  exit();
}

?>

Link to comment
https://forums.phpfreaks.com/topic/194721-how-does-this-little-script-look/
Share on other sites

You're not using mysql_real_escape_string().

 

I don't see what purpose $got_you even serves; you assign to it and then never use it.

 

What's to stop me from putting whatever I want into delete_id and deleting stuff other people posted?

I know what you mean,

switch

$delete_this = $_GET['delete_id'];

 

to

$delete_this = mysql_real_escape_string($_GET['delete_id']);

 

and yes, I had $got_you in the code for future add-ons to the script, it is probably best to leave it out til it is needed?

 

So would that be about it with the mysql_real_escape_string ?

 

What else could someone do?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.