Delete certain records in a database

[bddotnet]

I have a form that allows the user to specify which record in the table that they want to delete. When they enter a number, it deletes ALL records in the table. I only want to delete the ID# that the user enters on the form.

Why doesn't this work?

PHP Code:

DELETE FROM workorders WHERE ID = '$ID 


[mitchind]

It's likely that your PHP code is not concatenating the SQL command string the way you assume it is. Without your actual code it's hard to tell, but I know I've falled into the trap before where I copy/paste a string command - then forget to insert the concatenate operator on the same string to make it join both lines.

[bddotnet]

OK. Here is the form:

HTML Code:

<form name="form3" method="post" action="">

PHP Code:

          <?
        $host = '';
        $user = '';
        $pwd = '';
        $db = '';
        
$connect=mysql_connect('mysqlxx.powweb.com',$user,$pwd);
$result=mysql_select_db($db) or die( "This database is not working");

$user = $_SERVER['REMOTE_USER'];
$today = date("Y-m-d");

$list_query = mysql_query("SELECT * FROM tablename"); 

echo "Delete the selected job posting below.<br><br>";

while ( $data = mysql_fetch_array($list_query) ) { 

//recognize the month and post each work order
echo "ID: $data[ID]<br>";
"Date: $data[today]<br>";
"Job Title: $data[fieldname2]
<br>
Job Description: $data[fieldname3]
<hr><p>
";
            
echo "<p>Delete ID: 
            <input name=\"id\" type=\"text\" id=\"id\">
          </p>
          <p>
            <input type=\"submit\" name=\"ID\" value=\"Delete\">
          </p>";
}

?>

HTML Code:

        </form>

Here is the action of the form:

HTML Code:

<head>
<link href="../style.css" rel="stylesheet" type="text/css">
<META http-equiv="refresh" content="2;URL=">
</head>

PHP Code:

  <?
//connection information
$host = "";
$user = "";
$pwd = "";
$db = "";
$conn = mysql_connect('',$user,$pwd);

if(!$conn) echo "connection failed<br>";

//select database
$select = mysql_select_db("$db",$conn) or die ("This database is not working.");

function clean ( $val , $ws = 1) {
        
    if ($val == "") {
            
        return "";
        
    }
    
    $val = str_replace  ( " "            , " "            , $val ) ;        
    $val = str_replace  ( chr(0xCA)           , ""             , $val ) ;  
//Remove sneaky spaces
    $val = str_replace  ( "&"                  , "&amp;"           , $val ) ;
    $val = str_replace  ( "<!--"              , "<!--" , $val ) ;
    $val = str_replace  ( "-->"                  , "-->"       , $val ) ;
    $val = preg_replace ( "/<script/i"        , "<script"  , $val ) ;
    $val = str_replace  ( ">"                  , "&gt;"           , $val ) ;
    $val = str_replace  ( "<"                  , "&lt;"           , $val ) ;
    $val = str_replace  ( "\""                  , "&quot;"       , $val ) ;
    $val = preg_replace ( "/\n/"              , "<br />"       , $val ) ;
// Convert literal newlines
    $val = preg_replace ( "/\\\$/"              , "$"       , $val ) ;
    $val = preg_replace ( "/\r/"              , ""               , $val ) ;
// Remove literal carriage returns
    $val = str_replace  ( "!"                  , "!"           , $val ) ;
    $val = str_replace  ( "'"                  , "'"           , $val ) ;
// IMPORTANT: It helps to increase sql query safety.        
    $val = preg_replace ("/&amp;#([0-9]+);/s" , "&#\\1;"       , $val ) ;
    $val = ($ws == 1) ? preg_replace ( "/\s\s+/" , " "         , $val ) : $val ;
// Remove white space

    // Strip slashes if not already done so.
    
    if ( get_magic_quotes_gpc ( ) )
    {
        $val = stripslashes($val);
    }
    
//code correction provided by satis - see below
// Swap user inputted backslashes
     
    $val = preg_replace( "/\\\(?!&amp;#|\?#)/", "\"", $val );
     
    return $val;
     
}

//clean vars
$ = clean($_POST['']);

unset($error);

//delete job posting
$sql  = "DELETE FROM tablename WHERE id = '$ID";

$result = mysql_query($sql,$conn);
mysql_close($conn);

echo "<center><h3>Deleting Job Posting...........................</h3>
<br>Please wait...<center>"
?>

What am I doing wrong? This deletes nothing!

[mitchind]

Well ...
you're making progress. In your first post it was deleting EVERYTHING .. now it's NOTHING.

So that just means the record doesn't exist as you expect it to exist with the ID value provided. Echo the $sql statement before executing - do you even have a value for $ID in the SQL statement?

[satis]

this is wrong:

"DELETE FROM tablename WHERE id = '$ID";

you have an extra single quote in there. either

"DELETE FROM tablename WHERE id = $ID";
or
"DELETE FROM tablename WHERE id = '$ID'";

I dunno if there are other problems hiding in there. BTW, for cleaning an integer (which I assume $ID is), you can do this:

PHP Code:

$ID = (int)$ID; 


That'll convert $ID into an integer...if it's already and integer, it'll basically verify it's safe... if it's anything other than an integer, it converts it to 0. Then you can check it before actually doing your sql stuff so you don't run bogus sql queries.

PHP Code:

if($id == 0){
    echo 'Invalid Id';
   include('originating_page.html');
  die();
}
//onward with your query 


also, I' d recommend you stick an 'echo $sql' in there before you do your mysql_query. Any time I build a new sql statement, I ALWAYS echo out the sql query before ever running it against the database. Half the time it seems I'm running against a live database nowadays and I can't afford to accidently lose all my records or insert tons of trash or anything.

[bddotnet]

Thanks guys!