-2

when i go to produkdelete.php i can view the record that i want to delete, but when i confirm to delete there is no deleted record

this is my script :

$key = @$_GET["key"];
case "I": // Get a record to display
 $tkey = $key;
 $strsql = "SELECT * FROM `produk` WHERE `id`=".$tkey;
 $rs = mysql_query($strsql, $conn) or die(mysql_error());
 if (mysql_num_rows($rs) == 0)
 {
 ob_end_clean();
 header("Location: "."produklist.php");
 }
 $row = mysql_fetch_assoc($rs);
 $x_id = $row["id"];
 $x_kdprod = $row["kdprod"];
 $x_namaprod = $row["namaprod"];
 $x_diskripsi = $row["diskripsi"];
 $x_harga = $row["harga"];
 mysql_free_result($rs);
 break;
case "D": // Delete
 // Open record
 $tkey = $key;
 $strsql = "DELETE FROM `produk` WHERE `id`=".$tkey;
 $rs = mysql_query($strsql, $conn) or die(mysql_error());
 mysql_free_result($rs);
 mysql_close($conn);
 ob_end_clean();
 header("Location: produklist.php");
 break;

the key variable is send from "produkdelete.php?key=".urlencode($row["id"]);

and everytime i run this the output just come like this :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '=' at line 1

asked Dec 27, 2014 at 20:45
7
  • 2
    Have you tried dumping out what the SQL statement being attempted actually is? Commented Dec 27, 2014 at 20:47
  • What does var_dump($tkey) show? Commented Dec 27, 2014 at 20:48
  • Try produkdelete.php?key=1 OR 1=1 Commented Dec 27, 2014 at 20:48
  • 1
    mysql_ functions are deprecated, please use mysqli or PDO instead of mysql_ functions. Commented Dec 27, 2014 at 20:49
  • 1
    Wow! So. Many. Dangerous. Stuff?! Error surpressing?! Commented Dec 29, 2014 at 16:55

1 Answer 1

0

In SQL Management Studio this won't run.

$strsql = "DELETE FROMprodukWHEREid=".$tkey;

Lose the ` and it should execute.

With PDO for added security (explanation below)

 $myServer = "put url to your server here";
 $myDB = "put name of database here";
 $name = "login name db";
 $pw= "password db";
 try 
 {
 $dbConn = new PDO("mysql:host=$myServer;dbname=$myDB", $name, $pw);
 }
 catch( PDOException $Exception ) 
 { 
 //Uncomment code to show error
 //var_dump($Exception);
 } 
 function doPDOQuery($sql, queryArguments = array())
 { 
 $sth = $db->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
 $sth->execute($queryArguments );
 }
 $sql = 'SELECT * FROM produk WHERE id= :id';
 doPDOQuery( $sql, array(":id" -> $tkey) );

This should execute on your server. It's using the PDO module for creating prepared queries. That means that the query itself is created by the database-driver itself. This prevents SQL-injection. This is a reason why MySQL_functions are deprecated.

For delete, update and insert the code above is sufficient. You need to do a $sth->fetchAll() to retrieve rows from a select.

Why are PHP's mysql_ functions deprecated?

answered Dec 27, 2014 at 20:53
Sign up to request clarification or add additional context in comments.

1 Comment

@EdyPrasetyo You've made an edit to my answer, to provide a comment. Please use the add comment button. I think your local webserver is no longer supporting mysql_query. Please switch to PDO or mysqli

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.