1

I want to delete data with PHP and Angular form MySQL. this is my code :

Angular

    $scope.delete = function(){
    that = this;
    $http.get("delete.php").success(function(data){
        $scope.users.splice(that.$index, 1)
    })
}

PHP 

$data = json_decode(file_get_contents("php://input"));
$subject = mysql_real_escape_string($data->subject);
mysql_select_db("angular") or die(mysql_error());

$tbl="Customers";
$subject = $_GET ['index'];
$sql="DELETE FROM $tbl WHERE subject = '$subject'";
$result = mysql_query($sql, $con);
if($result){
    echo "Deleted Successfully";

}else {
    echo "ERROR";
}

DB

I have a table "Customers" with subject and body cell

JavaScript code worked correctly but after refreshing data still alive !!
where am I wrong ?

Improve this question
6
  • 4
    This code is just waiting to be exploited with SQL injection the way that you've implemented it. php.net/manual/en/security.database.sql-injection.php Commented Oct 8, 2014 at 22:13
  • 3
    How are you passing the parameter index? Commented Oct 8, 2014 at 22:13
  • you need to pass ANYTHING with the GET request from the angular side. but that's just begining... please start with topics like what are GET and POST and why is passing variables taken from them inside queries totally wrong idea... Commented Oct 8, 2014 at 22:14
  • Without seeing any more of the surrounding code, I suspect that the query being executed is: DELETE FROM Customers WHERE Subject = ''. How does index get passed in? Commented Oct 8, 2014 at 22:16
  • You probably should also strongly consider using POST instead of GET. It would be trivial for someone to type http://yourdomain.com/delete.php?index=xyz in your browser to delete data from your database. POST would help prevent against this and would give you even better security if your verified a valid session token so someone could just form valid POST's against your endpoint to delete records. Commented Oct 8, 2014 at 22:20

1 Answer 1

Reset to default
3

as mentioned in comments, your code is vulnerable to sql injection attacks

you need to add subject to your request

angular

$scope.delete = function(){
var subject = // get subject somehow ...
that = this;
$http.get("delete.php?subject=" + subject)
   .success(function(data){
       $scope.users.splice(that.$index, 1)
    })
}

php

$tbl="Customers";
$subject = $_GET ['subject'];
$sql="DELETE FROM $tbl WHERE subject = '$subject'";
$result = mysql_query($sql, $con);
if($result){
    echo "Deleted Successfully";

}else {
    echo "ERROR";
}
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

thx @Jossef but nothing happend , and i also updated my question about my db
note that var subject = // get subject somehow ... is something you need to complete by yourself
i added var subject = $scope.sentCompose; $scope.sentCompose; is from send function but nothing happend

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.