Deleteing a record from mysql

[bigbird3156]

Hi,

I'm a PHP noob, who is learning on the fly so please be patient... I am trying to create a record delete page for my database and through using dreamweaver and looking at various tutorials and stuff I have developed a page that should delete the record displayed and then redirect you to a confirmation page... only problem is that when you hit the delete button it seems to only reload the current page showing the record you want to delete (and no the record is not deleted from the database)

could someone please look at my code and give me an idea of where I have gone wrong...

<?php require_once('../Connections/CA_database.php'); ?>
<?php
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}

if ((isset($HTTP_GET_VARS['rec_num'])) && ($HTTP_GET_VARS['rec_num'] != "") && (isset($HTTP_POST_VARS['Submit']))) {
  $deleteSQL = sprintf("DELETE FROM products WHERE rec_num=%s",
                       GetSQLValueString($HTTP_GET_VARS['rec_num'], "int"));

  mysql_select_db($database_CA_database, $CA_database);
  $Result1 = mysql_query($deleteSQL, $CA_database) or die(mysql_error());

  $deleteGoTo = "admin_delete3.php";
  if (isset($HTTP_SERVER_VARS['QUERY_STRING'])) {
    $deleteGoTo .= (strpos($deleteGoTo, '?')) ? "&" : "?";
    $deleteGoTo .= $HTTP_SERVER_VARS['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $deleteGoTo));
}

$colname_del_record = "1";
if (isset($HTTP_POST_VARS['rec_num'])) {
  $colname_del_record = (get_magic_quotes_gpc()) ? $HTTP_POST_VARS['rec_num'] : addslashes($HTTP_POST_VARS['rec_num']);
}
mysql_select_db($database_CA_database, $CA_database);
$query_del_record = sprintf("SELECT * FROM products WHERE rec_num = %s", $colname_del_record);
$del_record = mysql_query($query_del_record, $CA_database) or die(mysql_error());
$row_del_record = mysql_fetch_assoc($del_record);
$totalRows_del_record = mysql_num_rows($del_record);
?>

<?php require_once('../Connections/CA_database_connection.php'); ?>
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<div align="center">
  <p><strong><font color="#006600" size="5" face="Arial, Helvetica, sans-serif">Delete 
    Confirmation</font><font color="#FF0000" size="5" face="Arial, Helvetica, sans-serif"><br>
    </font><font color="#FF0000" face="Arial, Helvetica, sans-serif">WARNING!! 
    <br>
    Clicking the Delete Button Below will Permanently Delete This record.</font></strong></p>
  <p><font color="#003300" size="5" face="Arial, Helvetica, sans-serif"><font size="3"><a href="admin_control.php">CONTROL</a> 
    | <a href="admin_add.php">ADD</a> | <a href="view.php">VIEW</a> | <a href="admin_update1.php">UPDATE</a> 
    | DELETE | <a href="../index.html" target="_blank">PUBLIC</a></font></font> 
  </p>
  <form name="form1" method="post" action="">
    <table width="100%" border="0" cellspacing="0">
      <tr> 
        <td width="25%" rowspan="5"><div align="center"><img src="<?php echo $row_del_record['prod_pic']; ?>" alt="" name="del_pic"></div></td>
        <td width="15%">Product Number:</td>
        <td width="60%"><?php echo $row_del_record['prod_num']; ?></td>
      </tr>
      <tr> 
        <td>Product Name</td>
        <td><?php echo $row_del_record['prod_name']; ?></td>
      </tr>
      <tr> 
        <td>Designer</td>
        <td><?php echo $row_del_record['designer']; ?></td>
      </tr>
      <tr> 
        <td>Category</td>
        <td><?php echo $row_del_record['prod_cat']; ?></td>
      </tr>
      <tr> 
        <td colspan="2"></td>
      </tr>
      <tr> 
        <td colspan="3">
<div align="center">
            <input type="submit" name="Submit" value="Delete">
          </div></td>
      </tr>
    </table>
  </form>
  <p>&nbsp; </p>
</div>
</body>
</html>
<?php
mysql_free_result($del_record);
?>

Thanks Heaps for any help

The Bird from Down Under- Bigbird 3156
Programmer?? - I thought the option was pretender not programmer!!

 

[jpadie]

should you not be referencing $_POST rather than the HTTPGETVARS? your form is submitted via POST method, after all.

 

[bigbird3156]

thanks for that jpadie,

I tried it made no difference...

do I need to change the $HTTP_SERVER_VARS and $HTTP_POST_VARS as well... if so with what...

I apologise I am really new at this stuff and have never really played around with databases and passing stuff between pages etc...

The Bird from Down Under- Bigbird 3156
Programmer?? - I thought the option was pretender not programmer!!

 

[johnwm]

The old $HTTP_*_VARS variables have been deprecated for some time. For a note on the changes see

http://uk3.php.net/manual/en/tutorial.oldcode.php

If you want the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller

 

[jpadie]

@OP

using dreamweaver to write code for you is, IMO, very dangerous. the code snips are badly written, not kept updated and hide from you the underlying rationale for doing something a certain way. However painful it might be, do the learning curve properly and code things yourself. DW is OK as a code editor (collapsing and colorizing), and OK as a site management tool but in honesty I can't even recommend it for those simple tasks these days, not at its price tag. There are LOADS of freeware IDE's out there that will serve you so much better in the long run, not to mention save you money.

likewise your html sucks. you should separate the display from the content. put the styling of your html elements into a style sheet and take it out of the inline controls. likewise do not use tables for displaying non-tabular data. this is pretty much an axiom of web design these days. i have not fixed your html code for you but post back if you want an example of how to code forms using css. it will greatly simplify your life!

If you are building lots of forms in your applications you would be well served by HTML_Quick_Form from the pear repository.

on to the meat of the thing, i have rewritten your code into a set of discrete functions. IMO you will improve your coding style and simplify your page logic if you break down your code into a series of discrete functions. below you will find functions for
* processing the form data
* displaying the form data
* redirecting the browser
* preparing variables for use in queries
* setting debug parameters

most of these can be absracted to a file of library functions which you could then make available to every page via a call like

require_once 'libraryFunctions.php';

<?php 
//set debugging parameters
setDebug(true); //set to false to suppress errors

//database connection
require_once('../Connections/CA_database.php');
mysql_select_db($database_CA_database, $CA_database); // you need to do this once per connection only.
magic_quotes_runtime(false); //just in case this is turned on


/**
 * create the dispatcher
 */

//we test expressly for the value of Submit as well.  
//the reason is because the incoming page might also have a button called submit that provides it with the rec_num
if (!empty($_POST['Submit']) && ($_POST['Submit'] == 'Delete') && !empty($_POST['rec_num'])){
	processForm();
} else {
	displayForm();
}

/**
 * function to process the delete request
 * @return void
 */
function processForm(){
	$sql = "DELETE FROM products WHERE rec_num=%s";
	$query = sprintf($sql,GetSQLValueString($_GET['rec_num'], "int"));
                       
	$result = mysql_query($query);
	
	if ($result){
		redirectTo('admin_delete3.php', true);
	} else {
		die (mysql_error());
	}
}

/**
 * function to display the delete confirmation form
 * @return void
 */
function displayForm(){

$rec_num = empty($_POST['rec_num']) ? 1 : $_POST['rec_num'];
$sql = "SELECT * FROM products WHERE rec_num = %s";
$query = sprintf($sql,GetSQLValueString($rec_num, 'int'));
$result = mysql_query($query);
if (!$result){
	die(mysql_error());
} else {
	if (mysql_num_rows($result) === 0 ){
		echo 'No records found';
	} else {
		$row = mysql_fetch_assoc($result); //retrieve the record
		echo <<<HTML
<html>
<head>
<title>Records for rec num {$rec_num}</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<div align="center">
  <p><strong><font color="#006600" size="5" face="Arial, Helvetica, sans-serif">Delete 
    Confirmation</font><font color="#FF0000" size="5" face="Arial, Helvetica, sans-serif"><br>
    </font><font color="#FF0000" face="Arial, Helvetica, sans-serif">WARNING!! 
    <br>
    Clicking the Delete Button Below will Permanently Delete This record.</font></strong></p>
  <p><font color="#003300" size="5" face="Arial, Helvetica, sans-serif"><font size="3"><a href="admin_control.php">CONTROL</a> 
    | <a href="admin_add.php">ADD</a> | <a href="view.php">VIEW</a> | <a href="admin_update1.php">UPDATE</a> 
    | DELETE | <a href="../index.html" target="_blank">PUBLIC</a></font></font> 
  </p>
  <form name="form1" method="post" action="">
    <table width="100%" border="0" cellspacing="0">
      <tr> 
        <td width="25%" rowspan="5">
			<div align="center">
				<img src="{$row['prod_pic']}" alt="" name="del_pic">
			</div>
		</td>
        <td width="15%">Product Number:</td>
        <td width="60%">{$row['prod_num']}</td>
      </tr>
      <tr> 
        <td>Product Name</td>
        <td><{$row['prod_name']}</td>
      </tr>
      <tr> 
        <td>Designer</td>
        <td>{$row['designer']}</td>
      </tr>
      <tr> 
        <td>Category</td>
        <td>{$row['prod_cat']}</td>
      </tr>
      <tr> 
        <td colspan="2"></td>
      </tr>
      <tr> 
        <td colspan="3">
			<div align="center">
            <input type="submit" name="Submit" value="Delete">
          	</div>
		</td>
      </tr>
    </table>
  </form>
  <p>&nbsp; </p>
</div>
</body>
</html>
HTML;
		} //end internal if
	} //end external results if
}	//end function

/**
 * improved function to prepare variables for use in sql strings.
 
 * @return 
 * @param object $theValue
 * @param object $theType
 * @param object $theDefinedValue[optional]
 * @param object $theNotDefinedValue[optional]
 */
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") {
	$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; //remove horrible slashes
	if (@mysql_db_name()){
		$escape = 'mysql_real_escape_string';
	} else {
		$escape = 'mysql_escape_string';
	}
	switch ($theType) {
		case "text":
			$theValue = ($theValue != "") ? "'" . $escape($theValue) . "'" : "NULL";
			break;    
			case "long":
		case "int":
			$theValue = ($theValue != "") ? intval($theValue) : "NULL";
			break;
		case "double":
			$theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
			break;
		case "date":
			$theValue = ($theValue != "") ? "'" . $escape($theValue) . "'" : "NULL";
			break;
		case "defined":
			$theValue = ($theValue != "") ? $escape($theDefinedValue) : $escape($theNotDefinedValue);
			break;
	}
	return $theValue;
}

/**
 * header independent redirection function.
 * 
 * NOTE this will not work where headers have been send AND the client machine does not use javascript.
 * @return 
 * @param string $url - the url to which you wish to redirect.
 * @param bool $appendQS[optional] - boolean.  if true the existing query string is appended
 * @param array $extraQS[optional] - any extra query parameters to be sent
 */
function redirectTo($url, $appendQS=false, $extraQS=NULL){
	$qs = array();
	if (!empty($extraQS)){
		foreach ($extraQS as $key=>$value){
			$qs[] = urlencode($key).'='.urlencode($value);
		}
	}
	if ($appendQS){
		if (!empty($_SERVER['QUERY_STRING'])){
			//seems counter intuitive to loop here, but it equalises across server versions
			foreach ($_GET as $key=>$value){
				$qs[] = urlencode($key).'='.urlencode($value);
			}
		}
	}
	$queryString = explode('&amp;', $qs);
	$url .= '?' . $queryString;
	
	if (headers_sent()){
		//deploy redirect via javascript
		echo <<<JS
<script type="text/javascript" language="JavaScript">
<!--
window.location="{$url}";
//-->
</script>
JS;
	} else {
		header ('Location:' . $url);
	}
	//forcibly terminate the script
	exit();
}

/**
 * function to set error reporting. 
 * controlled by the DEBUG definition at line 1
 * @return 
 */
function setDebug($debug){
	if ($debug){
		error_reporting(E_ALL);
		ini_set('display_errors', true);
	} else {
		//nb make sure that errors are still being LOGGED
		error_reporting(0);
		ini_set('display_errors', false);
	}
}
?>

hope that helps.

 

[bigbird3156]

Thanks again jpadie,

you have really gone out of your way here!!

I tried your code however and I have a few problems still...

when I go to this page it displays the first record in my database every time, regardless of which record I have selected... secondly it still does not delete the record and thirdly it does not redirect to the next page...

I am wondering If there is something bigger going on...

I have created a number of pages(adding records, viewing records, searching etc) and whilst they are based on DW and probably really messy they seem to be doing the job... so I am at a loss.

if you could shed any more light on this issue that would be great...

also do you have any suggestions of online tutorial for php as well as the best of the freeware IDE's

thanks heaps for that

The Bird from Down Under- Bigbird 3156
Programmer?? - I thought the option was pretender not programmer!!

 

[jpadie]

for IDE's search in this forum. there was a recent post about them. I use Aptana.

the rec_num used to select the data must be POSTED to the page. this was as per your original code. if there is nothing POSTED then the code defaults to use rec_num = 1.

if you are passing the rec_num via a query string then change the $_POST references to $_GET in line 46

the reason for the code failing is that you were not telling the form what rec_num was being used. i have added this through a hidden field in line 104.

as a result of this change i have also changed line 29 to reference $_POST.

the code is reposted below

<?php 
//set debugging parameters
setDebug(true); //set to false to suppress errors

//database connection
require_once('../Connections/CA_database.php');
mysql_select_db($database_CA_database, $CA_database); // you need to do this once per connection only.
magic_quotes_runtime(false); //just in case this is turned on


/**
 * create the dispatcher
 */

//we test expressly for the value of Submit as well.  
//the reason is because the incoming page might also have a button called submit that provides it with the rec_num
if (!empty($_POST['Submit']) && ($_POST['Submit'] == 'Delete') && !empty($_POST['rec_num'])){
    processForm();
} else {
    displayForm();
}

/**
 * function to process the delete request
 * @return void
 */
function processForm(){
    $sql = "DELETE FROM products WHERE rec_num=%s";
    $query = sprintf($sql,GetSQLValueString($_POST['rec_num'], "int"));
                       
    $result = mysql_query($query);
    
    if ($result){
        redirectTo('admin_delete3.php', true);
    } else {
        die (mysql_error());
    }
}

/**
 * function to display the delete confirmation form
 * @return void
 */
function displayForm(){

$rec_num = empty($_POST['rec_num']) ? 1 : $_POST['rec_num'];
$sql = "SELECT * FROM products WHERE rec_num = %s";
$query = sprintf($sql,GetSQLValueString($rec_num, 'int'));
$result = mysql_query($query);
if (!$result){
    die(mysql_error());
} else {
    if (mysql_num_rows($result) === 0 ){
        echo 'No records found';
    } else {
        $row = mysql_fetch_assoc($result); //retrieve the record
        echo <<<HTML
<html>
<head>
<title>Records for rec num {$rec_num}</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<div align="center">
  <p><strong><font color="#006600" size="5" face="Arial, Helvetica, sans-serif">Delete 
    Confirmation</font><font color="#FF0000" size="5" face="Arial, Helvetica, sans-serif"><br>
    </font><font color="#FF0000" face="Arial, Helvetica, sans-serif">WARNING!! 
    <br>
    Clicking the Delete Button Below will Permanently Delete This record.</font></strong></p>
  <p><font color="#003300" size="5" face="Arial, Helvetica, sans-serif"><font size="3"><a href="admin_control.php">CONTROL</a> 
    | <a href="admin_add.php">ADD</a> | <a href="view.php">VIEW</a> | <a href="admin_update1.php">UPDATE</a> 
    | DELETE | <a href="../index.html" target="_blank">PUBLIC</a></font></font> 
  </p>
  <form name="form1" method="post" action="">
    <table width="100%" border="0" cellspacing="0">
      <tr> 
        <td width="25%" rowspan="5">
            <div align="center">
                <img src="{$row['prod_pic']}" alt="" name="del_pic">
            </div>
        </td>
        <td width="15%">Product Number:</td>
        <td width="60%">{$row['prod_num']}</td>
      </tr>
      <tr> 
        <td>Product Name</td>
        <td><{$row['prod_name']}</td>
      </tr>
      <tr> 
        <td>Designer</td>
        <td>{$row['designer']}</td>
      </tr>
      <tr> 
        <td>Category</td>
        <td>{$row['prod_cat']}</td>
      </tr>
      <tr> 
        <td colspan="2"></td>
      </tr>
      <tr> 
        <td colspan="3">
            <div align="center">
			<input type="hidden" name="rec_num" value="{$rec_num}" />
            <input type="submit" name="Submit" value="Delete">
              </div>
        </td>
      </tr>
    </table>
  </form>
  <p>&nbsp; </p>
</div>
</body>
</html>
HTML;
        } //end internal if
    } //end external results if
}    //end function

/**
 * improved function to prepare variables for use in sql strings.
 
 * @return 
 * @param object $theValue
 * @param object $theType
 * @param object $theDefinedValue[optional]
 * @param object $theNotDefinedValue[optional]
 */
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; //remove horrible slashes
    if (@mysql_db_name()){
        $escape = 'mysql_real_escape_string';
    } else {
        $escape = 'mysql_escape_string';
    }
    switch ($theType) {
        case "text":
            $theValue = ($theValue != "") ? "'" . $escape($theValue) . "'" : "NULL";
            break;    
            case "long":
        case "int":
            $theValue = ($theValue != "") ? intval($theValue) : "NULL";
            break;
        case "double":
            $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
            break;
        case "date":
            $theValue = ($theValue != "") ? "'" . $escape($theValue) . "'" : "NULL";
            break;
        case "defined":
            $theValue = ($theValue != "") ? $escape($theDefinedValue) : $escape($theNotDefinedValue);
            break;
    }
    return $theValue;
}

/**
 * header independent redirection function.
 * 
 * NOTE this will not work where headers have been send AND the client machine does not use javascript.
 * @return 
 * @param string $url - the url to which you wish to redirect.
 * @param bool $appendQS[optional] - boolean.  if true the existing query string is appended
 * @param array $extraQS[optional] - any extra query parameters to be sent
 */
function redirectTo($url, $appendQS=false, $extraQS=NULL){
    $qs = array();
    if (!empty($extraQS)){
        foreach ($extraQS as $key=>$value){
            $qs[] = urlencode($key).'='.urlencode($value);
        }
    }
    if ($appendQS){
        if (!empty($_SERVER['QUERY_STRING'])){
            //seems counter intuitive to loop here, but it equalises across server versions
            foreach ($_GET as $key=>$value){
                $qs[] = urlencode($key).'='.urlencode($value);
            }
        }
    }
    $queryString = explode('&amp;', $qs);
    $url .= '?' . $queryString;
    
    if (headers_sent()){
        //deploy redirect via javascript
        echo <<<JS
<script type="text/javascript" language="JavaScript">
<!--
window.location="{$url}";
//-->
</script>
JS;
    } else {
        header ('Location:' . $url);
    }
    //forcibly terminate the script
    exit();
}

/**
 * function to set error reporting. 
 * controlled by the DEBUG definition at line 1
 * @return 
 */
function setDebug($debug){
    if ($debug){
        error_reporting(E_ALL);
        ini_set('display_errors', true);
    } else {
        //nb make sure that errors are still being LOGGED
        error_reporting(0);
        ini_set('display_errors', false);
    }
}
?>

 

[bigbird3156]

I think the delete side of things is now working however it is still trying to delete only the first record...

now that the first record has been deleted I go to this page and all i get is 'no records found'. From what I can tell I am posting the rec_num to the page above so I don't know why it is not working... Here is the code: - please forgive the messyness

<?php require_once('../Connections/CA_database.php'); ?>
<?php
$colname_del_search = "1";
if (isset($HTTP_GET_VARS['prod_num'])) {
  $colname_del_search = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS['prod_num'] : addslashes($HTTP_GET_VARS['prod_num']);
}
mysql_select_db($database_CA_database, $CA_database);
$query_del_search = sprintf("SELECT * FROM products WHERE prod_num = '%s'", $colname_del_search);
$del_search = mysql_query($query_del_search, $CA_database) or die(mysql_error());
$row_del_search = mysql_fetch_assoc($del_search);
$totalRows_del_search = mysql_num_rows($del_search);
?>
 
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<form name="form2" method="post" action="">
  <table width="100%" border="0" cellspacing="0">
    <tr> 
      <td width="12%">Rec Number</td>
      <td width="33%"><font face="Arial, Helvetica, sans-serif">Product Number</font></td>
      <td width="23%"><font face="Arial, Helvetica, sans-serif">Product Name</font></td>
      <td width="15%"><font face="Arial, Helvetica, sans-serif">Designer</font></td>
      <td width="17%">&nbsp;</td>
    </tr>
    <?php do { ?>
    <tr> 
      <td><?php echo $row_del_search['rec_num']; ?></td>
      <td><?php echo $row_del_search['prod_num']; ?></td>
      <td><?php echo $row_del_search['prod_name']; ?></td>
      <td><?php echo $row_del_search['designer']; ?></td>
      <td><a href="admin_delete3.php?link_rec_id=<?php echo $row_del_search['rec_num']; ?>">Delete?</a></td>
    </tr>
    <?php } while ($row_del_search = mysql_fetch_assoc($del_search)); ?>
  </table>
</form>
<p>&nbsp;</p>
</body>
</html>
<?php
mysql_free_result($del_search);
?>

any ideas what is going wrong?
(ps I know that both sections of code reference admin_delete3.php but that is not the problem as I have changed the page names around a bit)

The Bird from Down Under- Bigbird 3156
Programmer?? - I thought the option was pretender not programmer!!

 

[jpadie]

is the code you posted supposed to replace the code that I posted? or is this the page from which you provide the ID number to my code?

if the latter then you are not POSTING the data to the incoming script. you are sending the data via a query string. this is received by php in the $_GET superglobal and not the $_POST superglobal.

still assuming the latter, you would need to change this line

$rec_num = empty($_POST['rec_num']) ? 1 : $_POST['rec_num'];

to refer to the GET superglobal

$rec_num = empty($_GET['rec_num']) ? 1 : (int) $_GET['rec_num'];

 

[DonQuichote]

I have created a number of pages(adding records, viewing records, searching etc) and whilst they are based on DW and probably really messy they seem to be doing the job... so I am at a loss.

Probably even more at a loss than you think. Alas, the web has lost its innocence. What you think "seems to do the job" may very well do a great job for any hacker or botnet outside. "It seems to work" just isn't good enough. If you are new on the security subject, I suggest you read a good book on it. Even if it is just your own personal blog instead of a multi-million corporation site, it can still be used for all kinds of nasty things.

For instance, your originally posted code trusted the magic quotes and wanted to "repair" them using addslashes() if they were configured to be off. The magic quotes are one of the nasty features of PHP that tried to outsmart programmers and have bit quite a number of them (including me) hard. Thank goodness PHP does no longer try to forgive and correct any suspected error any longer. The magic quotes are now default off and dropped entirely in PHP6. And you should use mysql_real_escape() instead of addslashes().

When working with databases, you should know something about "SQL injection" and when working with e-mail read about "mail injection". When working with sessions and logins, read about "session fixation" and "session hijacking".

That said, learn to program on development machine that is not reachable from outside (behind a router) and only server the public internet when armed with at least some basic security knowledge.


+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)