I need some help crafting a query to remove an entry.

[Devalina]

I've recently started working on a website that is using Mysql, and I can't say that I'm entirely too familiar with how to escape certain sequences of characters.  Right now I've run into a bit of an issue Barring a complete teardown of the existing database and rebuilding it in a more straightforward manner I have to work around this insert string:

 

$query="insert into table2(date,name,member,supervisor,note) values('$v_date','<a href=$v_link>$v_name</a>','$v_member','$v_supervisor','$v_note')";

 

The values come in from a form.

 

Now I'm trying to make it so that they can remove a single entry from a users file, but I can't for the life of me work around that hyperlink.  At present my code looks like this:

 

$query="DELETE FROM table2 WHERE member='$v_member' AND name='<a href='$v_link'>'$v_name'</a>'";

 

 

And I'm just getting a ton of parse errors because I'm not treating the hyperlink properly.  I've tried googling this a few times, to no avail.  I would have never created the insert like that if I'd had a choice (link can modify the value when removed from the table)

 

Any help with this would be hugely appreciated, thanks!

 

Edit:  Also wanted to note that the "name" is the name of the entry.  Something like a subject line in an email.

[Pikachu2000]

How are you getting the values into the form to begin with? Is the form you're talking about built with the user data from a database query?

[Devalina]

How are you getting the values into the form to begin with? Is the form you're talking about built with the user data from a database query?

 

I should've mentioned that I suppose.  The query to insert is built with a simple html form, and the query to remove is built with an extremely similar (simple) form.  I'm going to change it over to a select propagated by users once I am complete.  But the code I'm working with right now looks like this.

 

(This is to acquire data to go into the database -- note the name of the php file is not really blahblah)

<div id="note" role="main">
		<form action="blahblah.php" method="post">
			Date: <input type="text" name="date"><br>
			Item Name: <input type="text" name="name"><br />
			User Link: <input type="text" name="link"><br />
			Member: <input type="text" name="member"><br />
			Boss: <input type="text" name="supervisor"><br />
			Type: <input type="text" name="note"><br />
			<input type="Submit" name="submit" value="submit">
		</form>

 

Then the contents of 'blahblah' are something like this:

 

//Get data in local variable
$v_date=$_POST['date'];
$v_name=$_POST['name'];
$v_member=$_POST['member'];
$v_boss=$_POST['supervisor'];
$v_type=$_POST['type'];
$v_link=$_POST['link'];

 

The query then inserts them as above.

 

The way to get data to delete from the database is equally as simple:

<form action="L2.php" method="post">
			Member with note to delete: <input type="text" name="member"><br>
			note to delete: <input type="text" name="name"><br />
			link to note: <input type="text" name="link"><br />
			Password: <input type="text" name="password"><br>
			<input type="Submit" name="submit" value="submit">

 

And finally, all the junk gets sent over to L2.php, which contains this:

 
                                        $v_member=$_POST['member'];
				$v_name=$_POST['name'];
				$v_loot=$_POST['note'];
				$v_link=$_POST['link'];

$query="DELETE FROM table2 WHERE member='$v_member' AND name='<a href='$v_link'>'$v_name'</a>'";
				$result=mysql_query($query);
				$result = mysql_query($query) or die(mysql_error());

[Pikachu2000]

In this case, I really think it would be easier and quicker to just go ahead and create the from that will be used in the future now, instead of messing around with a form that has text fields that need to be filled manually. If anything is not exactly as it is in the db record, the query will fail, or may even delete records that you didn't intend to delete.

[Devalina]

In this case, I really think it would be easier and quicker to just go ahead and create the from that will be used in the future now, instead of messing around with a form that has text fields that need to be filled manually. If anything is not exactly as it is in the db record, the query will fail, or may even delete records that you didn't intend to delete.

 

Yar, that's my opinion on the matter too, trying to do a delete that includes a hyperlink in a mysql query is something that should just never happen.

[Pikachu2000]

Looking a the code again, I see the reason your delete query has syntax errors is the inner single quotes. If the value was assigned to a variable, and escaped properly with mysql_real_escape_string (all string data should be escaped), the parse error should be taken care of. However that reinforces the case against the using a form of text fields to delete records because in the original insert, the value didn't contain the inner single quotes, thus the delete would fail anyhow.

[Devalina]

I'm thinking of making a short - term fix while I craft the new form by doing something like this instead, so it will essentially remove the $v_link part from earlier:

 

$query="DELETE FROM table2 WHERE member='$v_member' AND name LIKE '%{$v_name}%'";

 

Again, excessively risky, but it gets the people needing to do this off my back for the afternoon.

[fenway]

Your table is just SCREAMING for a UID.