Search code examples
phpmysqldelete-rowcorresponding-records

PHP MySQL delete row

I have searched everywhere and cannot find the answer, I believe I have the correct code but there could be a typo.

What is going wrong here?

I have the link that posts the product id correctly to the url as shown:

userAccount.php:

while($columnDelete = mysqli_fetch_array($query, MYSQLI_ASSOC)){
        echo "<section class='product'>
                <a href='extras/deleteProcess.php?productId=".$columnDelete['productId']."' class='deleteProduct' style='color:#990000;font-family:arial;font-weight:bold;font-size:12pt;background:transparent;'>Delete?</a>
                <section class='productImg'>
                    <a target='_self' href='fullProductInfo.php?productId=".$columnDelete['productId']."'>
                        <img src='http://www.littlepenguindesigns.co.uk/pages/CMX/images/products/".$columnDelete['productImg']."' alt='".$columnDelete['productName']."' border='0' width='230' height='200' border='0' />
                    </a>
                </section>
                <section class='productName'><a target='_self' href='fullProductInfo.php?productId=".$columnDelete['productId']."'>".$columnDelete['productName']."</a></section>
                <section class='productPrice'>&pound;".$columnDelete['price']."</section></section>";
    }

The $columnDelete['productId']; is posting the correct ID to the url and the deleteProcess.php page, I can see the productId in the URL and I have also echoed it out onto the page to check, it does show:

deleteProcess.php:

$productId = $_GET['productId'];
$con = mysqli_connect("BLAH","BLAH","BLAH","BLAH") or die('Server connection not possible.');
$sql = ("DELETE FROM `product` WHERE `product`.`productId`= $productId");
mysqli_query($con, $sql);

echo "Deleted product ID: $productId successfully.<br /><br /><br /><br /><br /><br /> <a href='../userAccount.php#deletion'>Go back to user account and delete another.</a>";

I cannot understand what is going on, the product gets called into deleteProcess.php and onto the page but doesn't delete, it shows no errors either. As I'm newish to php and mysql I thought I'd best research, as I came up with no answer I thought to ask, so can anybody tell me what I'm doing wrong or point me in the right direction.

Solution 
  • $sql = ("DELETE FROM `product` WHERE `product`.`productId`= $productId");
mysqli_query($con,$sql);

    to

    $sql = "DELETE FROM `product` WHERE `product`.`productId`= $productId";
mysqli_query($con,$sql) OR DIE(mysqli_error($con)); //useful for debugging

    warning! this code is vulnerable to SQL injection. fix sql injection by sanitizing all user input.

    $productId = mysql_real_escape_string($_GET['productId']); // use mysql_real_escape_string on $_GET
$con = mysqli_connect("BLAH","BLAH","BLAH","BLAH") or die('Server connection not possible.');
$sql = "DELETE FROM `product` WHERE `product`.`productId`= '$productId'"; //add single quotes around variable $productid to seperate string from query
mysqli_query($con, $sql);