I am sending values to a PHP form using the GET method. when I go to the URL, the link looks as follows:
http://www.url.com/getstuff.php?rid=sG94Ok5JtHQ&searcht=music&r=0
I am using the following function to handle the variables:
if (isset($_GET['rid'])) {
if($_GET['r'] == 0) {
echo $_GET['searcht'];
echo $_GET['rid'];
mysql_query('DELETE FROM flags WHERE searchText = "'.$_GET['searcht'].'" AND videoID = "'.$rid.'"');
} else
{
mysql_query('INSERT INTO removed (videoID) VALUES ("'.$_GET['rid'].'")');
mysql_query('DELETE FROM flags WHERE searchText = "'.$_GET['searcht'].'" AND videoID = "'.$rid.'"');
}
}
For some reason, the INSERT statement works above, but the delete statements do not do anything. When I echo mysql_error(), I am not getting anything either. I am sure the columns and table names are correct. Any help would be appreciated to help me get the delete statements working! Thanks!
A DELETE query will succeed, even if nothing was deleted. In your code, you use the $rid variable, which is never set. There is a $_GET['rid'] variable, so the fix is probably to either assign $rid to $_GET['rid'], e.g.
{
$rid = $_GET['rid'];
mysql_query('INSERT INTO removed (videoID) VALUES ("'.$_GET['rid'].'")');
mysql_query('DELETE FROM flags WHERE searchText = "'.$_GET['searcht'].'" AND videoID = "'.$rid.'"');
}
Or to change all instances of $rid to $_GET['rid'], e.g.
{
mysql_query('INSERT INTO removed (videoID) VALUES ("'.$_GET['rid'].'")');
mysql_query('DELETE FROM flags WHERE searchText = "'.$_GET['searcht'].'" AND videoID = "'.$_GET['rid'].'"');
}
Also, the mysql_ functions are deprecated, and you should use PDO/mysqli. Also, you don't sanitise your data anywhere (using intval or mysql_real_escape_string or similar), so you're quite open to SQL injection.