0

I have a PHP script that will delete a post when a button is pressed, but it doesn't delete it, post stays there.

My code:

    if (isset($_POST['deletePost'])) {
        $postID = $_GET['id'];
        $sqil = "DELETE FROM posts WHERE post_id='$postID'";
        $result = $conn->query($sqil);
    }
harunbajric
  • 1
  • 3
  • Do you have a post_id field in the database? Normally it is just called id. – Muhammad Tashfeen Nov 15 '20 at 18:47
  • Did you include an ID on the query string of your request? Perhaps not. Debug your code and ensure the ID value is really populated. P.s. this code is vulnerable to SQL injection attacks - you must use prepared statements and parametrised queries to protect your database from malicious users – ADyson Nov 15 '20 at 18:48
  • this code just deletes the entry in the database, you need to reload the table and display it again in order to see the modification. what error do you get ? – Max Muster Nov 15 '20 at 18:48
  • https://owasp.org/www-community/attacks/SQL_Injection – Preston Guillot Nov 15 '20 at 18:51
  • 1
    This code is extremely susceptible to [sql injection](https://www.acunetix.com/websitesecurity/sql-injection/). You should use [prepared statements with parameter binding](https://phpdelusions.net/mysqli). – Wesley Smith Nov 15 '20 at 18:54
  • You'll need to debug your query execution to determine why it's failing, you can do that with [mysqli_report as shown here](https://stackoverflow.com/questions/22662488/mysqli-fetch-assoc-expects-parameter-call-to-a-member-function-bind-param) or with [mysqli_error](https://www.php.net/manual/en/mysqli.error.php) – Wesley Smith Nov 15 '20 at 18:54
  • 1
    I would second @WesleySmith here. With such a query I could make the result of `$_GET['id']` to be `1' OR 'a'='a` and boom all posts are gone. This is just a silly example but beware of using users input in sql query without prepared statements and input sanitizing. – Julien B. Nov 15 '20 at 19:01

0 Answers0