current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

I want to delete data with PHP and Angular form MySQL. this is my code :

Angular

    $scope.delete = function(){
    that = this;
    $http.get("delete.php").success(function(data){
        $scope.users.splice(that.$index, 1)
    })
}

PHP 

$data = json_decode(file_get_contents("php://input"));
$subject = mysql_real_escape_string($data->subject);
mysql_select_db("angular") or die(mysql_error());

$tbl="Customers";
$subject = $_GET ['index'];
$sql="DELETE FROM $tbl WHERE subject = '$subject'";
$result = mysql_query($sql, $con);
if($result){
    echo "Deleted Successfully";

}else {
    echo "ERROR";
}

DB

I have a table "Customers" with subject and body cell

JavaScript code worked correctly but after refreshing data still alive !!
where am I wrong ?

share|improve this question
4  
This code is just waiting to be exploited with SQL injection the way that you've implemented it. php.net/manual/en/security.database.sql-injection.php –  Nathan Taylor yesterday
3  
How are you passing the parameter index? –  Mike Brant yesterday
    
you need to pass ANYTHING with the GET request from the angular side. but that's just begining... please start with topics like what are GET and POST and why is passing variables taken from them inside queries totally wrong idea... –  Kelu Thatsall yesterday
    
Without seeing any more of the surrounding code, I suspect that the query being executed is: DELETE FROM Customers WHERE Subject = ''. How does index get passed in? –  Nathan Taylor yesterday
    
You probably should also strongly consider using POST instead of GET. It would be trivial for someone to type http://yourdomain.com/delete.php?index=xyz in your browser to delete data from your database. POST would help prevent against this and would give you even better security if your verified a valid session token so someone could just form valid POST's against your endpoint to delete records. –  Mike Brant yesterday

1 Answer 1

up vote 3 down vote

as mentioned in comments, your code is vulnerable to sql injection attacks

you need to add subject to your request

angular

$scope.delete = function(){
var subject = // get subject somehow ...
that = this;
$http.get("delete.php?subject=" + subject)
   .success(function(data){
       $scope.users.splice(that.$index, 1)
    })
}

php

$tbl="Customers";
$subject = $_GET ['subject'];
$sql="DELETE FROM $tbl WHERE subject = '$subject'";
$result = mysql_query($sql, $con);
if($result){
    echo "Deleted Successfully";

}else {
    echo "ERROR";
}
share|improve this answer
    
thx @Jossef but nothing happend , and i also updated my question about my db –  user3642164 yesterday
    
note that var subject = // get subject somehow ... is something you need to complete by yourself –  Jossef Harush yesterday
    
i added var subject = $scope.sentCompose; $scope.sentCompose; is from send function but nothing happend –  user3642164 yesterday

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.