将_POST变量传递给Mysql WHERE子句

Question

<?php
//Connect to DB
$dbcnx = @mysql_connect("$db_host", $db_user, "$db_password");
if (!$dbcnx) {
 echo( "<P>Unable to connect to the " .
    "database server at this time.</P>" );
 exit();
}
mysql_select_db("daily_audit", $dbcnx);
// Request the text of all the hosts
if(!empty($_POST['checklist'])) {
    foreach($_POST['checklist'] as $check) {
        $result = mysql_query(
           "DELETE FROM hosts_list WHERE IP_Address = %s ", $check);
if (!$result) {
 echo("<P>Error performing query: " .
     mysql_error() . "</P>");
 exit();
}
    }
}
?>

I am having an issue getting the following code to run. I have confirmed that the _POST variable contains data but I am pretty sure that there is an issue with how my SQL query is being process. Sorry I am a PHP n00b and I am trying to understand how I can correct this issue. I know that the query will likely require ' ' around the IP address which is making this tricky. Thanks all in advance.

Answer 1

The mysql_query function cannot format a string.

You were probably thinking of sprintf() :

$query = sprintf("DELETE FROM hosts_list
                  WHERE IP_Address = %s", mysql_real_escape_string($check));
$result = mysql_query($query);

Consider switching to PDO or mysqli , because the mysql extension is now deprecated.

Answer 2

mysql_query() can't format your query like that.

You're probably looking for sprintf() :

$result = mysql_query(
    sprintf("DELETE FROM hosts_list WHERE IP_Address = %s ", $check) );

Note that your code is vulnerable to SQL injection. You should always sanitize user input before using it in a database query. Better yet, switch to MySQLi / PDO and use prepared statements.