So, I almost have my delete function working, I have the page loading correctly without any fatal errors but it's still not doing the trick.
Here is the portion of my while loop:
echo "<a href='http://www.###$#%##%#.org/Profile.php?id=".$prof->id."'>";
echo " delete";
echo "</a>";
And here's the portion of my query which is obviously wrong:
$query = "UPDATE `ProfileComments` SET `status` = 'dead' WHERE `id` = '".$prof->id."' LIMIT 1";
So, how do I get this to delete the comment on the page? And mark the status dead in the database?
From your sql it looks like you are doing a soft delete, which is fine. Your select statement needs to exclude comments that have a status of 'dead'
SELECT columns FROM ProfileComments WHERE status != 'dead' AND id = {$prof->id}
Of course that's a guess without seeing how you populate prof->id when you generate the link.
There's a couple of other problems with your post though:
As others have suggested, you should use parameterized queries otherwise you leave yourself open to sql injections
You shouldn't be doing the delete via a get request (using a naked anchor). Either do the delete using AJAX or via a form. Modifying server data via a get is a bad practice.
Just because you're not seeing fatal errors, your code doesn't have to behave like you want it to.
Examine the content of $prof->id by, inside of the loop, putting it through var_dump and then die, this will let you control what the property holds at the moment you want to print it out.
The same thing applies in your query, var_dump to see what it contains.
Not seeing more of your code (and not knowing your experience level), I'm not sure where you actually need help, so forgive me if my question/advice is obvious and too basic for you:
How is $prof->id getting populated in Profile.php? Are you pulling it off of the request (like so: $id = $_REQUEST["id"])?
And as Michael said, do please use parameterized queries. (If you don't care about children, at least think of the kittens!)
Your SQL statement looks fine, and the html code is fine too. To locate the problem
You need to make sure your SQL is getting the right parameter, the id in this case. just echo it out, if the id is missing or wrong you know $prof->id needs fixing.
also check the link dumped by your php, again does it contain the right id?
Make sure you don't have any errors before you execute the SQL, basically make sure that SQL query statement is called. and make sure your db connection is live.
When mysql statement is wrong it won't throw a fatal error, you need to print the error yourself by mysql_error().
Related
I got a website with a lot functions and calculations and it grows every day. Calculation errors are getting harder to solve as my loggs are really big.
The website is used by employees, so there is a lot of traffic between the website and the mysql database. Is it possible in any way to append comments to the queries so they show up in the log-files?
The standart ones (I guess #..#) get lost after the query is parsed from the mysql-server.
Im just trying to get a better overview about my log-files.
For example it could be something like this:
$query = "UPDATE something SET column = 'input' WHERE ... #ticket-calc#";
$result = mysql_query($query, $db) or die(mysql_error());
I would like to show up 'ticket-calc' for this query in the log-files.
Everything I tried hasnt worked. It looks like the server is saving just the raw-command without anything appended.
I also thought about just comparing a string (the comment) with 'true' what shouldnt change the general query.
[query] ... AND 'ticket-calc'= true
I hope there is a more clean way to get it.
Solved this by using /* comment */. Thanks!
I have same approach to log (in MySQL) where are my queryes in database. I use "--" to solve the problem.
$pdo->exec("-- GETTING USERS");
$stmt->execute();
By the way, is better make all logs in your application, inclusive, log over querys. Aka
file_put_contents('TRY TO EXECUTE QUERY: ' . $stmt->queryString);
$stmt->execute();
As no one of the ppl who helped me out in the comments want to post their solutions as an answer, Ill do so to get this topic closed.
Im using /* .. */ to mark my queries.
Thanks for the help #AlexGreg, #davidkonrad and #davidkonrad.
This is something I have been trying to figure out for a bit, it is the most simplest of queries that does not seem to want to work for me (only in php mysqli, works in console sql)
First I am using a prepared statement, merely looking for a match on a specialized id (from another service) to update the relation to use my primary key for easier searching on my end.
The query is as follows:
$query = "SELECT id
FROM {$this->config->dbprefix}{$table}
WHERE sf_id = ?
LIMIT 1";
I use this as one line, I split it up for better readability here
I then check that the prepare statement is valid (I do this in multiple places and it works everywhere else.
if(!($ret = $this->dbo->prepare($query))){
//handle error, this part is never called
}else{
//everything is fine, code in here is below
}
Up to here everything seems fine. Checking table and prefix manually shows they are working and referencing the proper table.
$ret->bind_param('s',$id);
$ret->execute();
$ret->bind_result($retId);
$ret->fetch();
$count = $ret->num_rows;
The problem is here, the query always returns 0 for the num_rows. Checking the query manually and trying it in console returns 1 result as it should. So far with it being such a simple query I just cannot wrap my head around why it would work elsewhere, but not here. I am sure this is the proper way to build it (I have many other queries structured similar).
Is there any kind of confusion I may be experiencing? Something easy to miss that could cause a query like this to not return results?
EDIT:
I have attempted further error handling, and trying an if test on execute does not trigger an error, though I will try more.
To expand I have a raw output of the $query variable and the id variable. By combining them and manually attempting the query in console I get the proper result. My thoughts are on somehow the prepare statement is escaping, causing the string variable $id to not properly match. Though that is just speculation.
You need to call store_result() before trying to access num_rows. Without it, the statement handle does not know how many rows are in the result set.
$ret->bind_param('s',$id);
$ret->execute();
$ret->bind_result($retId);
$ret->store_result();
$count = $ret->num_rows;
// perhaps add error handling based on number of rows here
$ret->fetch();
I'll jump straight into it. Using php I'm having a problem deleting a record from the database if i use a variable as the value. The line of code below works perfectly
mysqli_query($con,"DELETE FROM highScores WHERE Name='David'");
But the name of the user will change, therefore I need to declare it as a variable. I've tried all kinds of variations but nothing seems to work. My latest failed attempt was the code below, which is the way i declare a varible when i'm inserting.
mysqli_query($con,"DELETE FROM highScores WHERE Name='{$name}'");
In situations like this it is good to check that variables actually contain something you expect it to. And I find also that echoing entire query strings is a good way to find out why a query isn''t working.
$sqlquery = "DELETE FROM highScores WHERE Name='{$name}'";
// have a look at the query...
echo "<pre>$sqlquery</pre>";
// use it...
mysqli_query($conn,$sqlquery);
I should warn you that if $name comes from somewhere untrusted, such as a publicly viewable html form, then it needs to be made 'safe' before using it in a query. Look into 'prepared statements'. Once you know your code is correctly populating your variable, make sure it is made safe before putting it in your query.
I'm not sure if..
{$variable} is valid in a query.
The way I insert a variable into a query, is called concentration.
mysqli_query($con,"DELETE FROM highScores WHERE Name='" . $name . "'");
The period adds 2 strings together.
However, what you're trying to do is vulnerable to SQL injection. If I were you, I'd be careful on what could be inside $name.
EDIT: My mistake, I'm used to a class that inserts the quotes for me.
Try this to get it running:
mysqli_query($con,"DELETE FROM highScores WHERE Name='".$name."'");
Make sure $name is a proper formed string like string(5) David, otherwise it might not lead to the desired results or may even break your query completely. You can make sure of this if you put a mysqli_real_escape_string like this
$name = mysqli_real_escape_string($con,$name);
before you execute the query
I landed here while searching for solutions to the same problem, but just discovered my database user didn't have delete privileges. I had earlier removed this privilege for security reasons.
I wrote a script for someone where they can easily delete quiz results from a database. The general gist of the script is user enters a username, php script queries the database for quiz results pertaining to the username. Then displays results
User can click delete link. Once this link is clicked, the results are then deleted and the database is re-queried showing updated results.
Everything seems to work fine on this end until I log into phpMyadmin to see that none of the results were deleted.
Question is can this be something wrong with the database itself? Or PHPmyAdmin?
Is there something wrong with how I'm doing my script?
Here is my code in this text file: http://andreawine.ladev.co/code-example.txt
$query1 = "DELETE FROM aw_wpsqt_user_data WHERE quizID='".$_GET['quizID']." AND username='".$_GET['username']."'";
It appears that this line is missing a closing quotation mark around quizID. Try correcting it to be:
$query1 = "DELETE FROM aw_wpsqt_user_data WHERE quizID='".$_GET['quizID']."' AND username='".$_GET['username']."'";
I should also mention that this isn't exactly the safest way to delete information, since it appears that I could use SQL injection for most of these fields (especially considering these $_GET variables appear on the URI! Take a look at http://codex.wordpress.org/WordPress_Coding_Standards#Formatting_SQL_statements for WordPress's standards for SQL statements.
I have a column called views in my table A. I want to increment the views column like so:
UPDATE A set views = views + 1 WHERE ID = blabla LIMIT 1;
This seems like the way to do it, at least to me.
Or so I thought.
Seems like when I (from PHP) do:
$views = get_viewcount($id);
$views++:
save_viewcount($id, $views); //here we just update views with the $views variable
This always works. But carries the penalty of an extra roundtrip to the DB with the get_viewcount and then incrementing it in PHP and sending it back. It always works.
The SQL statement above "sometimes" works. I know - I too hate the word "sometimes" in programming - but put another way, I cannot say WHEN but at times it doesn't increment it when I do it in SQL directly in one go.
Suggestions?
You need to isolate the bug in your system. It is very unlikely to be a problem with MySQL.
I would suggest running a ton of tests, and looking at database logs, etc. It is most likely the query is simply not getting executed due to some logic in your system, or due to the request dying/ending before it reaches the query.
You must be doing something wrong.
If you tell mysql:
UPDATE foo SET views = views+1 WHERE id = 1337;
it will increment it.
Try it on the command line.
Whatever code you're using to run the sql is failing, not the sql statement itself.
And what's the point of LIMIT=1 on an UPDATE query?
What I recommend doing is to set PHP to echo out the query it's running, the result it's getting back, etc., etc. Everything you possibly can. Look at SQL logs if applicable to see what queries are being run on what tables. Basically you need to see exactly where the fail point it.
When you state that the SQL statement sometimes works, is that on a basis of being called from your code, or being called via a mysql (assuming that is what you are using) prompt? If it's the prior, have you tried running it in a command prompt to see if you get the same result as your code? If not, then you can rule out the database and start looking specifically at your code.
Good luck!
I would look at where and when you do your BEGIN TRANSACTION / COMMIT processing.
It could be you are not checking the SQL return code and missing a "DEADLOCK" warning.