-4

It just doesn't seem to be working; this is my delete:

<code><?php

$username = $_GET["username"];

include 'config.php';

mysql_query ("DELETE FROM users
        WHERE username = ".$username);
        echo 'succesfully deleted user';
//header("Location: panel.php");

?></code>

and this is my row file

<code><?php
                            $query = 'SELECT * FROM users';
                            $result = mysql_query($query);
                            while ($row = mysql_fetch_array($result)) {
                                echo ' <tr> ';
                                echo ' <td> ';
                                echo $row['username'];
                                echo ' <td> ';
                                echo $row['time'];
                                echo ' <td> ';
                                echo $row['amount'];
                                echo ' <td> ';
                                echo $row['price'];
                                echo '<form  action="/delete_user.php" method="POST">';
                                echo '<td>';
                                echo '<input type="submit" name="'.$row['username'].'" value="delete"/>';
                                echo '</form>';
                            }   
                            ?></code>

When I go to delete_user.php?username=test it says the echo but it doesn't actually delete the user from table?

Brian Tompsett - 汤莱恩
  • 5,438
  • 68
  • 55
  • 126
user3575640
  • 11
  • 2

4 Answers4

1

Add quotes around $username and sanitize the input:

mysql_query ("DELETE FROM users
        WHERE username = '".mysql_real_escape_string($username)."'");
        echo 'succesfully deleted user';

BTW, at this stage you should forget about mysql_ functions and switch to PDO or mysqli prepared statements. Otherwise you are making your code vulnerable and obsolete.

n-dru
  • 9,174
  • 2
  • 27
  • 41
1

Likely because you have not put your username in quotes:

$query = sprintf("DELETE FROM users WHERE username = '%s';", $username);
mysql_query($query);
echo 'succesfully deleted user';

However, this is open to SQL injection as a username could be submitted containing a quote and manipulate your database. To be safe, it is better to escape your data before manipulating the database with it:

$escapedUsername = mysql_real_escape_string($username);
$query = sprintf("DELETE FROM users WHERE username = '%s';", $escapedUsername);
mysql_query($query);
echo 'succesfully deleted user';

This way you protect yourself against SQL attacks. Be warned mysql_* functions are deprecated (soon to be removed completely), so potentially research into mysqli_ or PDO methods for future database communication.

Goodluck.

Dan Belden
  • 1,179
  • 1
  • 9
  • 20
0

You failed to quote the $username variable in your code. To successfully execute the query, you have to quote the $username variable as so

mysql_query ("DELETE FROM users WHERE username = '".$username. "'");
NaijaProgrammer
  • 2,875
  • 2
  • 22
  • 33
0
<?php
if (isset($_POST["username"])){
   $username = mysql_real_escape_string($_POST["username"]);
   include 'config.php';

   if(mysql_query ("DELETE FROM users WHERE username = '{$username}'"))
        echo 'successfully deleted user';
  else 
        echo 'query error: '.mysql_error();
}
?>

P.S. Your code is susceptible to SQL injection (search Google about it). Also mysql_query() is deprecated and will be removed. http://php.net/manual/en/function.mysql-query.php

marc_s
  • 704,970
  • 168
  • 1,303
  • 1,425
besciualex
  • 1,827
  • 1
  • 14
  • 20