Invidia Posted November 11, 2019 Share Posted November 11, 2019 I'm working on an existing project, it's a mess but for the moment I just have to get the delete function working, but keep getting an error and I'm not sure what I'm missing. The query string is a mess, but that's a headache for another day. The target shouldn't ge part of the query string, but that's how someone else had set it up so for now I'm stuck trying to work with it as it is currently and just have to get some basic CRUD functionality going. The other minor snag is inconsistencies with the name of the primary key between tables. It's not consistently called 'ID" so I need to get both the key and value for the where part of the DELETE statement. The query that I currently have is not working. Error 500, can't even get a simple var_dump to work. Query string as it is in its present state: Quote somewbsite.com/endpoints/delete.php?target=TABLENAME&primaryKey=7 <?php include('includes/config.php'); $table = $_GET['target']; parse_str($_SERVER['QUERY_STRING'], $data); array_shift($data); $cols = array_keys($data); $vals = array_values($data); $idType = $cols[0]; $id = $vals[0]; $stmt = $pdo->prepare("DELETE FROM SOME_DATABASE.$table WHERE $idType = '$id';"); $status = $stmt->execute(); if($status) { echo "Success"; } else { echo "Fail"; } ?> Quote Link to comment Share on other sites More sharing options...
Barand Posted November 11, 2019 Share Posted November 11, 2019 Seriously!? You let anyone delete any record from any table just by putting values in a query string? http://.../delete.php?target=user&username=admin Brownie points for trying to use "prepare()" but your usage is wrong. The $id variable should not be in the query (that's the whole point of prepared statements). Use a placeholder instead and pass the id as a parameter $stmt = $pdo->prepare("DELETE FROM SOME_DATABASE.$table WHERE $idType = ?"); $status = $stmt->execute( [$id] ); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.