PHP / MYSQL按ID删除行
[英]PHP/MYSQL remove row by id
问题描述
I have a form that asks the user to enter in an exam id that they want to delete from the exam table in the DB. 
我有一个表格,要求用户输入要从数据库中的考试表中删除的考试ID。
The problem I am having is that even if the user enters in an id that does not match in the DB the script fires the else block completely ignoring the condition.
I may have implemented this wrong but as far as I am aware of i cannot see where I am wrong but I suspect that there is something I have done wrong in my if statment. 我可能已经犯了这个错误,但据我所知,我看不到哪里错了,但是我怀疑如果我的陈述中我做错了什么。
Here is my form that requires the user to enter an exam id for deletion 这是我的表格,要求用户输入考试ID才能删除
<form method = "post" action = "examDeleted.php">
<h1 class = "title">Delete Exam</h1>
<div class = "formContent">
<labeL for = "id">ID</labeL>
<input type = text name = "id" class = "input">
<br><br>
<br><br><br>
<input type = "submit" value = "Delete">
</div>
</form>`
This is passed to the function that contains the sql query to delete the record from the table 这传递给包含sql查询的函数,以从表中删除记录
<?php
include('dbLogin.php');
$id = trim($_POST['id']);
if($id != "")
{
$delete = "DELETE FROM exams WHERE id = '$id'";
$results = mysql_query($delete);
if(!$results)
{
die ("Cannot delete data from the database! " + mysql_error());
echo '<br><br>';
echo '<a href="home.html">Return</a>';
}
else
{
echo"Exam: $id has been deleted";
}
}
else
{
echo "No data entered! " . mysql_error();
}
?>
As you can see the condition !$results , to me it is saying if the record does not exist then kill the query else confirm the deletion. 如您所见, !$results条件对我来说是说如果该记录不存在,则终止查询,然后确认删除。 Is there an obvious reason why the inner if statment dosent get fired? 是否有内部理由解散剂量被解雇的明显原因?
1 个解决方案
解决方案1
1 已采纳 2014-07-27 09:04:58
DELETE statements are considered successful even if no rows were deleted. 即使没有删除任何行, DELETE语句也被认为是成功的。 (This is how SQL works in general; it's not MySQL-specific.) (这通常是SQL的工作方式;它不是特定于MySQL的。)
I would say that you should use mysql_affected_rows to find out how many rows were deleted, but as others have pointed out, you shouldn't be using the mysql_ functions at all, anyway . 我要说的是,您应该使用mysql_affected_rows来查找删除了多少行,但是正如其他人指出的那样,无论如何您都不应该使用mysql_函数 。
Your code as it stands is highly vulnerable to SQL injection attacks. 目前的代码极易受到SQL注入攻击的攻击。 If someone were to POST the following ID to examDeleted.php (remember, they don't have to use your form to do that, so any client-side checks can be bypassed): 如果有人将以下ID张贴到examDeleted.php中(请记住,他们不必使用您的表单来执行此操作,因此可以绕过任何客户端检查):
' OR 1 = 1 OR id = '
...I think it would probably delete every exam in your table, as your SQL statement would end up as: ...我认为这可能会删除表中的每项检查,因为您的SQL语句最终会显示为:
DELETE FROM exams WHERE id = '' OR 1 = 1 OR id = ' '
...which is a valid DELETE statement whose WHERE clause matches all your rows. ...这是有效的DELETE语句,其WHERE子句与您的所有行均匹配。
Using parameterised queries (available in the non-deprecated MySQL drivers like mysqli or PDO) would combat this issue. 使用参数化查询(可在未弃用的MySQL驱动程序(如mysqli或PDO)中使用)可解决此问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.