Hi everyone,

I'm sure this is super easy but I'm still learning. What's wrong with this line?



$SQL = "delete from upload2 where ID = $_GET['sqlid']";


Like I said, it must be something simple but I just can't figure it out.

Thanks,

Sean

The variable needs braces around it so that it can be parsed correctly:


$SQL = "delete from upload2 where ID = {$_GET['sqlid']}";

In general, it's a good idea to always use surrounding braces with variable parsing in strings for consistency, clarity, and so things like this won't creep up on you. You can find more information about it here (http://www.php.net/manual/en/language.types.string.php#language.types.string.pa rsing). Hope that helps. :)

What's wrong with this line?

It allows SQL injection. As simple as calling page.php?sqlid=0%20OR%201 which will delete everything in your table.


You may want to use something along those lines:

$SQL = "delete from upload2 where ID = '".mysql_real_escape_string($_GET['sqlid'])."'";ALWAYS quote & escape SQL arguments (and also escape variables that are output to HTML, using htmlspecialchars).

You also need a semicolon at the end of the SQL statement.