Delete MySQL record if 2 parameters match

Hi,

Firstly, and most importantly, you're not escaping parameters that come in over the URL before using them in an SQL query. That is a serious security risk.

Secondly, are you checking that the user id is set in the session before use?

Third, is your table called masterdb? And are you field names in caps or lowercase? The table definition you've included doesn't match your SQL query.

And to add some security, you could modify your query to:

$sql = sprintf("DELETE FROM `table` WHERE `url` = %d AND `userid` = %d LIMIT 1;", (int)$_GET['url'], (int)$_SESSION['user_id]);

R.

mysql("delete from masterdb where url='".$_GET['url']."' and userid='".$_SESSION['userid']."'");
if(!mysql_error()){
header("location:/index.php");
}
else {
echo mysql_error();
}

mysql("delete from masterdb where url='".$_GET['url']."' and userid='".$_SESSION['userid']."'");
if(!mysql_error()){
header("location:/index.php");
}
else {
echo mysql_error();
}

What if a user sets the URL argument to:

'; SHOW TABLES; --

or

'; DROP DATABASE `masterdb`; --

??

And displaying the database error to the user is very helpful. Allows people trying to hack your site to see exactly where the error is in their SQL injection attacks.

Sorry, I don't mean to burn. Am just trying to highlight my point :)

its just a sample...im not telling to use that in his official script;
echo mysql_error is just to test if his query is running correctly..
newbie in php need to see the error if there is...
hope you got my point

sorry im not that expert as you are...

No, not at all. As I said, I didn't mean to burn. But as you say, if the original poster is a novice PHP programmer, I think it's better than they learn about things like SQL injection and other potential security holes sooner rather than later.

No hard feelings.

Both of you are correct with your thoughts.

No hard feelings :)