--- In [email protected], James Keeline <[EMAIL PROTECTED]> wrote: > > --- Muthukumar Selvarasu <[EMAIL PROTECTED]> wrote: > > > Delete query syntax is > > > > delete from table_name; > > > > so change your query into > > > > runsql("DELETE FROM tBob WHERE ID = " . $_GET['a'] . ";"); > > Replies should be at the bottom of trimmed quoted text. > > In either example the query you have would be ~very~ easy to abuse by a bad guy > since you have no validation of the expected value of $_GET['a']. Consider the > opportunity for SQL injection if $_GET['a'] has a value like: > > "NULL; DROP TABLE tBob" > > An SQL error could indeed cause your problem. While developing, you should be > prepared to display the SQL errors. I don't know all that your custom runsql() > function does so perhaps it accomplishes this. > > James >
I appreciate your help. That was just pseudo code becuase the issue
is that it's not working in proper order -- the query runs (and runs
fine, there's no syntax issue). If I simply navigate to /admin.php
(the real file), then it shows the item no longer there. However, as
the code executes, and the successful DELETE occurs, it parses
forward through the code and finds the code to generate the SELECT
drop-down box. That box is still showing the old values.
More pertinent code (all of this runs fine, other than the SELECT box
having the deleted value):
<?php
//CODE TO REMOVE AN EMAIL ADDRESS. CLEANED OUT PERIODICALLY,
BUT FOR DEBUGGING PURPOSES, I'M LEAVING IN THE DATABASE FOR THE TIME
BEING.
function RemoveEmail($hash)
{
DebugPrint("Remove email: $hash");
$return = array();
$query =
"SELECT " .
"* ".
"FROM " .
"tEmail " .
"WHERE " .
"((hash = '" . $hash . "') AND
(enabled = -1)) " .
"ORDER BY ".
"addr;";
if (CountRows(GetFromQuery($query)) <= 0)
{
$return[0] = "Email address not in
database.<br>";
return $return;
}
$query =
"UPDATE " .
"tEmail " .
"SET " .
"enabled = 0 " .
"WHERE " .
"(hash = '" . $hash . "');";
$result = RunQuery($query);
odbc_commit($result); //NOT DOING IT
return $return;
}
//CODE TO GENERATE THE ITEMS IN A DROP-DOWN BOX
function SelectEmails($default = "")
{
//Query out the email addresses on file
$query =
"SELECT " .
"emailid, " .
"addr ".
"FROM " .
"tEmail " .
"WHERE " .
"(enabled = True) " .
"ORDER BY ".
"addr;";
$result = GetFromQuery($query);
while(odbc_fetch_row($result)) {
$eid = odbc_result($result,"emailid");
$addr = odbc_result($result,"addr");
if ($addr == $default)
echo " <option value=\"$addr\"
selected>$addr</option>\n";
else
echo " <option
value=\"$addr\">$addr</option>\n";
}
}
?>
/******************************************/
//My main PHP file's (pertinent) contents://
/******************************************/
<?php
session_save_path("C:\\x\\y\\z\\");
session_start();
include "file.inc";
DebugPrint("Started CheckData()");
$response = CheckData(); ///THIS IS WHERE THE DATA IS
DELETED/ADDED
DebugPrint("CheckData Complete.");
?>
<html>
<head>
<LINK REL=StyleSheet HREF="style.css" TYPE="text/css"
TITLE="style" MEDIA="screen, print">
<title>Mail - Administration</title>
<!doctype html public "-//W3C//DTD HTML 4.0 //EN">
</head>
<body>
<div id="wrap">
<div id="masthead">
<div id="logo">
<img src="logo.gif" alt="Our
company">
</div>
</div>
<?php ShowNavBar(); ?>
<div id="content">
<?php
if (!isset($_SESSION
['userid'])) { ?>You are not logged in. <a href="login.php">Log
In</a> to access this feature.<?php }
else
{
?>
<h4>Mail -
Administration</h4>
<table
class="admintools">
<tr>
<th>Manage Email Addresses</th>
</tr>
<tr>
<td
align="center">
<table class="emailadmin">
<tr><th>
Add an email:
</th></tr>
<tr><td>
Enter an email address to add it to the
database:<br />
<form action="admin.php?r=reg" method="post"
target="_self">
<input type="text" name="email"
size="36">
<input type="submit" value="Submit">
</form>
<div align="center">
<?php
if ((count($response)) &&
($_GET['r'] == "reg"))
{
?>
<table
class="errmsgs">
<tr><td>
<?php
$i = 1;
foreach ($response as $value)
{
echo $value;
if ($i < count($response))
echo "<br />\n";
}
?>
</td></tr>
</table><br />
<?php
}
?>
</div>
</td></tr>
<tr><th>
Remove an email:
</th></tr>
<tr><td>
Select an email address to remove it from the
database:<br />
<form action="admin.php?r=rmv" method="post"
target="_self">
<select name="email">
<?php
DebugPrint("Start
Listing Emails"); //THE OTHER CODE RUNS FIRST, PER THE HTML SOURCE OF
THE PAGE. THIS CODE RUNS AFTER THE OTHER, BUT SELECTEMAILS STILL GETS
THE DELETED ITEM. ODBC_COMMIT() DOES NOT RESOLVE.
SelectEmails();
DebugPrint("End List
of Emails");
?>
</select>
<input type="submit" value="Submit">
</form>
<div align="center">
<?php
if ((count($response)) &&
($_GET['r'] == "rmv"))
{
?>
<table
class="errmsgs">
<tr><td>
<?php
$i = 1;
foreach ($response as $value)
{
echo $value;
if ($i < count($response))
echo "<br />\n";
}
?>
</td></tr>
</table><br />
<?php
}
?>
</div>
</td></tr>
</table>
</td>
</form>
The data where information comes in goes through an algorythm to
check pattern matching using regular expressions to verify the email
matches basic syntax (and contains no dangerous elements):
<?php
case "email":
$pattern = "/[EMAIL PROTECTED]
\\.]*\\.[A-Z]{2,4}/i";
if (!(preg_match($pattern, $value)))
{
if ($showerrors)
echo "Invalid email
address entered.";
return '';
}
return $value;
break;
?>
So SQL injection is not an issue, at present. I don't know for sure
that the regexp is exactly how I want it, but I don't care -- it's
not the issue :) You don't even have to review it. I just need to
figure out why the select box is still showing a value that has been
deleted from my table.
(It's worth noting that Access doesn't actually wipe deleted
information out 'till you do a compact/repair, but that's also not
pertinent because it DOES block the values from being returned in the
recordsets sent back from SELECT queries).
Any other help you guys (or someone else) can give, would be -very-
much appreciated. I am stumped. :)
