Click here to Skip to main content
14,240,044 members
Rate this:
Please Sign up or sign in to vote.
See more:
<?php
         
		 
		 
		 $con =mysqli_connect ("localhost", "root", "" );
         $db= mysqli_select_db ($con, "student");
		 
		
		
		 $id = (isset($_POST['id']);
		 
		 $sql = "DELETE *FROM user  WHERE 'id' = .$id";
		 $result = mysqli_query($con, $sql);
		   if  ($result)
			  
			 {
				  
				 echo "Data delete";
			  }
			  else
			  {
			  echo "Data not delete";
				  
			  }


?>


What I have tried:

plzz solve this error


Parse error: syntax error, unexpected '$sql' (T_VARIABLE) in D:\xmp\htdocs\student\delete.php on line 12
Posted
Updated 3 days ago
v2
Comments
OriginalGriff 10-Jul-19 2:55am
   
It's surprisingly difficult to diagnose syntax errors without being able to see the code ...

Edit your question (use the "Improve question" widget) and add the relevant code fragment:the line itself, plus a dozen lines above and below, indicating which line the system is finding the problem on ... we can't see your screen, access your HDD, or read your mind!
Mubeen Mubeen Rasheed 12-Jul-19 0:30am
   








this is my code bro
Rate this:
Please Sign up or sign in to vote.

Solution 3

Brackets must match...
$id = (isset($_POST['id']);
Try:
$id = (isset($_POST['id']));


But ... two other things you should attend to.
One trivial: Indent your code correctly, and get rid of spurious line breaks! It makes it a load easier to read if you do:
 	   if  ($result)
			  
			 {
				  
				 echo "Data delete";
			  }
			  else
			  {
			  echo "Data not delete";
				  
			  }
Versus
 	   if  ($result)
			  {
				 echo "Data delete";
			  }
	   else
			  {
			  echo "Data not delete";
			  }

And one much more serious: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.

When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
--'
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.

So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
   
Comments
   
ERROR
ERROR
Parse error: syntax error, unexpected 'MyTable' (T_STRING) in C:\xampp\htdocs\student\delete.php on line 12
OriginalGriff 4 days ago
   
Did you actually read what I said, or copy'n'paste the injection string into your app?
Richard Deeming 2 days ago
   
Looking at the reply in solution 4, that'll be a "no" to both then. :)
OriginalGriff 2 days ago
   
Oh, fer ... :doh:
Rate this:
Please Sign up or sign in to vote.

Solution 1

Yes, we need to see your code. It looks like you missed a ';' on line 11 though.
   
Rate this:
Please Sign up or sign in to vote.

Solution 4

<?php
         
		 
		 
		 $con =mysqli_connect ("localhost", "root", "" );
         $db= mysqli_select_db ($con, "student");
		 
		
		$id = (isset($_POST['id']));

		
	     SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;--'
		 $result = mysqli_query($con, $sql);
		    if  ($result)
			  {
				 echo "Data delete";
			  }
	   else
			  {
			  echo "Data not delete";
			  }


?>
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100