-2

this is my display page which displays all the data from the database

<!DOCTYPE html>
<html>
    <head>
        <title></title>
        <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.1/dist/css/bootstrap.min.css">
  <script src="https://cdn.jsdelivr.net/npm/jquery@3.6.0/dist/jquery.slim.min.js"></script>
  <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>
  <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.1/dist/js/bootstrap.bundle.min.js"></script>
    </head>
    <body>
        <div class="container">
        <div class="col-lg-12"><br>
            <h1 class="text-primary text-center">Display Table Data</h1>
            <table class="table table-striped table-hover table-bordered">
                <tr class="bg-dark text-white text-center">
                    <th>Username</th>
                    <th>Password</th>
                    <th>Delete</th>
                    <th>Update</th>

                </tr>

<?php
    include 'connect.php';

    $q = " select * from loginpage ";
    $query = mysqli_query($con,$q);
    while($res = mysqli_fetch_array($query)){

?>

                <tr class="text-center">
                    <td><?php echo $res['username'] ?></td>
                    <td><?php echo $res['password'] ?></td>
                    <td><button class="btn-danger btn"> <a href="delete.php?id=<?php echo $res['username'] ?>" class="text-white"> Delete </a> </button></td>
                    <td><button class="btn-primary btn"> <a href="update.php?id=<?php echo $res['username'] ?>" class="text-white"> Update </a> </button></td>
                </tr>
                <?php
    }
                ?>
            </table>
            
        </div>
        </div>

    </body>
</html>

This is my delete.php file which will delete the selected record by taking its id using get.

<?php

include 'connect.php';
$id = $_GET['id'];
$q=" DELETE FROM `loginpage` WHERE username = $id  ";
mysqli_query($con, $q);
header('location:display.php');
?>

when i try to delete a record it gives me an error which is : Uncaught mysqli_sql_exception: Unknown column 'shubham' in 'where clause' in G:\Xampp\htdocs\delete.php:6 Stack trace: #0 G:\Xampp\htdocs\delete.php(6): mysqli_query(Object(mysqli), ' DELETE FROM `l...') #1 {main} thrown in G:\Xampp\htdocs\delete.php on line 6

marc_s
  • 704,970
  • 168
  • 1,303
  • 1,425
Shubham Mangaonkar
  • 5
  • 1
  • 3
    You neglected to put a text value into quotes, so the query parser thinks you meant it to be a column name instead. – CBroe May 09 '22 at 13:06
  • 4
    You should really not be assembling queries containing data like this any more, but use _prepared statements_. – CBroe May 09 '22 at 13:06
  • 3
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman May 09 '22 at 13:07
  • I coudn't understand what you said can you please explain where i have to make the change. – Shubham Mangaonkar May 09 '22 at 13:07
  • 1
    You need to bind `$id` to the prepared statement. Please research how to use prepared statements. The links I supplied should guide you there. – Dharman May 09 '22 at 13:08

0 Answers0