1

Alright let me explain myself here:

I am making an online text based game. I have a page where 3 things can happen:

  • They can create a position
  • Can edit a position
  • Can delete a position

    • So far I have creating a position working. I moved on deleting a position next. All was good and I got no errors, no warnings, etc.. And when I ran it, it came back to the screen it was supposed to after the script to delete the position ran. It is only supposed to come here after the query runs.

    Well nothing happened and after 3 hours of trying crap I'm coming to you guys b/c I'm on my last leg. I still have no critical errors, nothing is making it fail: Here is my code.

    <?php
//In the include file is the connection to the db
include("library/new_library.php");

//Below is the session id, gets their position id from the DB, than grabs whether or not they can edit the company
$user_id = $_SESSION['user_id'];
$sql = "SELECT ID, PositionID FROM users WHERE ID = '$user_id'";
$query = mysql_query($sql);
while($row = mysql_fetch_assoc($query))
{
    $position = $row['PositionID'];
}
$sql = "SELECT * FROM tblCPositions WHERE PositionID = '$position'";
$query = mysql_query($sql);
while($row = mysql_fetch_assoc($query))
{
    $editCompany = $row['Edit_Company'];
}


//Next I check for position edit and if they try to put in the position id of a position the company does not control it gives them a "nice" message.
$company = $_SESSION['company'];
if($_GET['pidedit']){
    $position = $_GET['pidedit'];
    $sql = "SELECT * FROM tblCPositions WHERE PositionID = '$position'";
    $query = mysql_query($sql);
    while($row = mysql_fetch_assoc($query))
    {
        if($row['CompanyID'] != $company)
        {
            $warning = "<div class='warning'>You are trying to edit a position that does not belong to your company.  DO NOT TRY TO CHEAT THE SYSTEM!</div>";
        }
        else
        {
            $positionArray[] = array(ID => $row['PositionID'], name => $row['Name'], hire => $row['Hire'], fire => $row['Fire'], bid => $row['Contract'], edit => $row['Edit_Company'], finances => $row['Finances']);
        }
    }
}

//Here I check for $_GET delete
elseif($_GET['piddelete'])
{
    $position = $_GET['piddelete'];
    $sql = "SELECT * FROM tblCPositions WHERE PositionID = '$position'";
    $query = mysql_query($sql);
    while($row = mysql_fetch_assoc($query))
    {
        if($row['CompanyID'] != $company)
        {
            $warning = "<div class='warning'>You are trying to delete a position that does not belong to your company.  DO NOT TRY TO CHEAT THE SYSTEM!</div>";
        }
    }
}
else
{
    $sql = "SELECT * FROM tblCPositions WHERE CompanyID = '$company'";
    $query = mysql_query($sql);
    $number = mysql_num_rows($query);
    $numberLeft = 12 - $number;
    while($row = mysql_fetch_assoc($query))
    {
        $positionArray[] = array(ID => $row['PositionID'], name => $row['Name'], hire => $row['Hire'], fire => $row['Fire'], bid => $row['Contract'], edit => $row['Edit_Company'], finances => $row['Finances']);
    }
}

//
if($_POST['submitNewPosition'])
{
    $name = $_POST['positionName'];
    $hire = $_POST['hire'];
    $fire = $_POST['fire'];
    $bid = $_POST['bid'];
    $edit = $_POST['edit'];
    $finances = $_POST['finances'];
    $cid = $_SESSION['company'];
    $sql = "INSERT INTO tblCPositions(CompanyID, Name, Hire, Fire, Contract, Edit_Company, Finances) VALUES ('$cid','$name','$hire','$fire','$bid','$edit','$finances')";
    $query = mysql_query($sql);
    if($query)
    {
        header("location: view_company.php?newp=success");
    }
}

//Haven't finished this section yet
if($_POST['submitEditPosition'])
{
    $name = $_POST['positionName'];
    $fire = $_POST['hire'];
    $fire = $_POST['fire'];
    $bid = $_POST['bid'];
    $edit = $_POST['edit'];
    $finances = $_POST['finances'];
}

//This this is my problem area, this is where it says its running the query but its not.
if(isset($_POST['deletePosition']))
{
    $deleteID = $_GET['piddelete'];
    $deleteSql = "DELETE FROM tblCPositions WHERE PositionID = '$deleteID'";
    $deleteQuery = mysql_query($deleteSql);
    if($deleteQuery)
    {
        header("location: view_company.php?delete=success");
    }
    if(!$deleteQuery)
    {
        header("location: view_company.php?delete=failure");
    }
}

    UPDATE -

    Ok so I got it working the problem was something I forgot, this form was just meant to be a "yes or no form" so I was doing post only to post the submit button, nothing else was on the form. What I had forgot was on the action="file.php" (what I had) I had forgotten to pass on the get variable so once I changed it to action="file.php?piddelete=12" it worked.

    Thanks for everyones help I really appreciate it.

    Improve this question
    6
    • 3
      Must say very interesting title :) Commented Dec 16, 2010 at 4:32
    • 1
      uhm, have you checked wethere error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED is set? Commented Dec 16, 2010 at 4:34
    • yeah it is but I couldn't think of any other way to explain it, I'll write back with the error reporting. Commented Dec 16, 2010 at 4:38
    • try adding an ELSE statement within the section you labeled as your "problem area" to help debug. Commented Dec 16, 2010 at 4:39
    • Nothing...still went to the success. Commented Dec 16, 2010 at 4:55

    1 Answer 1

    Reset to default
    2

    10 to 1 your variable $_GET['piddelete']; is empty. What do you get when you do this:

    var_dump($_GET['piddelete']);

    Disable the header redirect so that you can see the output.

    edit

    Or, as Nick pointed out, you can add die() statements to your queries:

    $deleteQuery = mysql_query($deleteSql) or die(mysql_error());

    If your query still runs, and the script doesn't die, and the position is still not deleted, you should check the query, it may be deleting 0 rows successfully. try killing at die($deleteSql); and run the query through MySQL's console.

    /edit

    Also, I'm compelled to introduce you to my good friend SQL injection attack. You should filter all data contained in the $_POST and $_GET superglobals before handing them over to the MySQL server. use mysql_real_escape_string().

    Try to grok this:

    whatever.com/your_url.php?pidedit=x'%3B%20DROP%20TABLE%20tblCPositions%3B%20--

    If I were to execute that query string on your application, your tblCPositions table would be dropped.

    Improve this answer
    Sign up to request clarification or add additional context in comments.

    9 Comments

    Just checked and its set, in the url it is set and I'm able to echo the $_GET variable on the page where the button is to delete the page.
    How about that error reporting? Also, is your above script on the same page as the delete button? If not, (I'm guessing it's not since you are doing a redirect) you'll need to check if the GET variable is set on that script, not the one before it. Disable the header redirect, echo the GET variable in the above script, and click the button.
    Yeah I try to get stuff working without it first then I add mysql_real_escape_string...I know its not normal but it works for me most of the time :) Well, actually the get isn't coming from a form. Its coming from text I enter so yes it is on the same page but its not from a form.
    That's dangerous. What if you forget? Just one.
    Also, I think it would be easier to just do this: $sql = mysql_query("Your query") or die (mysql_error());
    |

    Your Answer

    By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.