0

I made an application for taxi service with PHP and MySQL. And I use PDO for connecting. I setup an admin panel and I wrote a delete query for delete unwanted price records according to its priceid. But nowadays I lost all price data(Table become empty) sometimes without any action from Admin. Please check my delete query page code below. Thank you for your time.

ob_start(); include 'inc/database.php'; include 'inc/header.php'; if (isset($_GET['getid'])) { $getId = $user -> cleaninput($_GET['getid']); } else { header("Location:prices.php"); } if (!empty($getId) && is_numeric($getId)) { $adData = $DB_con->prepare("DELETE FROM price_data WHERE price_ID=".$getId." LIMIT 1"); $adData -> execute(); header("Location:prices.php"); } else { header("Location:prices.php"); }
Improve this question
3
  • I wouldn't depend on cleaninput to make your data safe. Use a prepared statement properly and pass the $getId as a parameter. Your code in its current form, if price_ID as the getid value can pass though cleaninput you will have all your data deleted. Parameterized prepared statements will prevent this. Commented Feb 19, 2020 at 4:27
  • 1
    Thank you. So do you mean $adData->bindparam(":getid",$getId); ? Commented Feb 19, 2020 at 4:32
  • Yep, and include :getid in your prepared query obvious. It doesn't totally explain your scenario, but its one way to prevent it. And I missed the is_numeric check, but even so, putting the prepared statement protection against SQL injection is easier than engineering checks for every query. Commented Feb 19, 2020 at 4:40
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.