0

I want there to be a SQL query to take place when a link is clicked on, so far this is what I have:

mainpage.php:

function deleteImage1() {
    $.post("delete_image.php", { num:1, id:<?php echo $id; ?> }, function(data,status){
  alert("Data: " + data + "\nStatus: " + status);
  });
    return false;
}

<a href="#" onclick="deleteImage1()">Delete Image</a>

delete_image.php:

<?php

// $connect stuff here 

    $num = $_GET['num'];
    $id = $_GET['id'];

    if ($num === '1') {
    $image_num == '';
    } else {
    $image_num == $num;
    }

    $sqlCommand = mysql_query("UPDATE alpacas1 SET image$image_num='' WHERE id=$id");

if (!$sqlCommand) {
    die('Invalid query: ' . mysql_error());
} else {
 echo "Updated successfully!";
}
?>

Now, when I click on the "Delete Image" link, it try's to run the function, and it does, but returns as this in the popup:

Data: Invalid query: You have an error in your SQL syntax; check the manual that corresponds with your MySQL server version for the right syntax to use near " at line 1.
Status: success

But when I reload the page, (or look in the database), the image field has not been changed to '' (or null).

Also, I have tested the SQL query so it is not that. I have done so by visiting delete_image.php in my browser with the id & num variables being "posted" (ex. delete_image.php?num=1&id=20) and by visiting it IN BROWSER, it SUCCESSFULLY deletes the image and gives me the message "Updated successfully!".

I'm guessing it's something with my Javascript as I am a beginner! Thanks for your help!

Improve this question
5
  • What's the code in mainpage.php that declares $id? Commented Oct 15, 2013 at 23:28
  • Sorry, the page is huge, didn't include that, but it is a PHP GET function that get's it, and it works, because I use it for many other functions on the page. Commented Oct 15, 2013 at 23:30
  • Here is the function when I "inspect element" on Google Chrome. As you can see, the $id variable displays correctly when asked. function deleteImage1() { $.post("delete_image.php", { num:1, id:286 }, function(data,status){ alert("Data: " + data + "\nStatus: " + status); }); return false; } Commented Oct 15, 2013 at 23:32
  • This code looks extremely vulnerable to SQL injection if used in a live site. I strongly recommend using either mysqli or pdo with a parameterized query. Commented Oct 16, 2013 at 3:18
  • It's the backend which is password protected, one user going to be using it, so SQL injection isn't a problem. Commented Oct 16, 2013 at 17:37

1 Answer 1

Reset to default
2

I should've noticed this earlier...

You're using the jQuery .post(), yet you're accessing the variables as if they are sent via GET. You should either use $_POST or $_REQUEST to pull in your data:

$num = $_POST['num'];
$id = $_POST['id'];

Without the proper variables, your query reads:

UPDATE alpacas1 SET image='' WHERE id="

Thus the MySQL error is returned.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Ah I should have caught that also!! Thanks man, just what I needed, I've tried so many things I'm lost in my own code.
No problem, sometimes it just takes a second set of eyes to catch the simple mistakes.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.