Delete not working

[Invidia]

I'm working on an existing project, it's a mess but for the moment I just have to get the delete function working, but keep getting an error and I'm not sure what I'm missing.

The query string is a mess, but that's a headache for another day. The target shouldn't ge part of the query string, but that's how someone else had set it up so for now I'm stuck trying to work with it as it is currently and just have to get some basic CRUD functionality going. The other minor snag is inconsistencies with the name of the primary key between tables. It's not consistently called 'ID" so I need to get both the key and value for the where part of the DELETE statement. The query that I currently have is not working. Error 500, can't even get a simple var_dump to work.

 

Query string as it is in its present state:

Quote

somewbsite.com/endpoints/delete.php?target=TABLENAME&primaryKey=7

<?php

include('includes/config.php');
$table = $_GET['target'];

    parse_str($_SERVER['QUERY_STRING'], $data);
    array_shift($data);

    $cols = array_keys($data);
    $vals =  array_values($data);
    $idType = $cols[0];
    $id = $vals[0];

    $stmt = $pdo->prepare("DELETE FROM SOME_DATABASE.$table WHERE $idType = '$id';");
    $status = $stmt->execute();
    if($status)
    {
		echo "Success";
    }
    else
    {
        echo "Fail";
    }
?>

 

[Barand]

Seriously!? You let anyone delete any record from any table just by putting values in a query string?

http://.../delete.php?target=user&username=admin

Brownie points for trying to use "prepare()" but your usage is wrong. The $id variable should not be in the query (that's the whole point of prepared statements). Use a placeholder instead and pass the id as a parameter

$stmt = $pdo->prepare("DELETE FROM SOME_DATABASE.$table WHERE $idType = ?");
$status = $stmt->execute( [$id] );