Here $id is integer value and it's not deleting from MySQL:
$Query="DELETE FROM table WHERE id='.$id.' and cid='".$cid."'";
2 Answers
Your problem in short: you have mixed different quotation marks - " and '.
This problem would not arise if you would use prepared statements, as you would have had a single string literal:
$Query="DELETE FROM table WHERE id=? and cid=?";
This would also remove the possibility of SQL injections.
This would also speed-up you program if you need to execute the same prepared statement several times (the statement is already prepared and does not need to be parsed on the second+ invocation).
And finally, in case you are still using the officially deprecated PHP mysql extension you MUST switch to mysqli and use its full benefits like prepared statements. The mysql extension is no longer officially supported and may be removed in future (though I foresee that it will be moved to PEAR or so).
As a temporary solution, use mysql_real_escape_string to encode all variables which are derived from the user input. Please do NOT use mysql_escape_string as it is highly vulnerable to character encoding!
Comments
You forgot to close your "
The Solution:
$id = mysql_real_scape_string($id);
$cid = mysql_real_scape_string($cid);
$Query="DELETE FROM table WHERE id='".$id."' and cid='".$cid."'";
The Problem
So, if you were to echo out your statement as it was, the result would look like:
DELETE FROM table WHERE id='.1.' and cid='2'
See the problem with that?
answered Apr 25, 2013 at 21:16
What have you tried
11.2k4 gold badges35 silver badges45 bronze badges
2 Comments
Jasper
What about
$cid, wouldn't you escape that as well?What have you tried
@Jasper Yes you would, I made a mistake and have since fixed it.
mysql_real_escape_stringisn't much better, he should switch tomysqliorPDO. Also, how do you know he wasn't / isn't usingmysql_real_escape_stringsomewhere before the line he posted?