Deleting a row from a webpage

I have created a webpage that deletes a record from my phpmyadmin table and a corresponding page to carry out the process. However i receive an error when executed. the following is the delete page: (excluding the obv html =))

<?php
include(“dbinfo.inc.php”);

$conn = mysql_connect (localhost,$username,$password) or die (mysql_error());
mysql_select_db(“Library”);

$sql= “SELECT * FROM books”;
$result= mysql_query($sql, $conn) or die (mysql_error());

print " <table>
";

print " <tr>
";
while ($field = mysql_fetch_field($result))
{
print " <th>$field->name</th>
";
}
print " </tr>
";

while($row= mysql_fetch_assoc($result))
{
print " <tr>
";
foreach ($row as $name => $value)
{
print " <td>$value</td>
";
}
print " </tr>
";
}

print " </table>
";
?>
</br>
<form method=“POST” action =“deleteanother.php”>
<p>
Enter the Book ID to Delete: <input type=“text” name=“bookid” size=“5”>
<input type=“submit” value=“Delete”>
<input type=“reset”>
</p>

////////////////////////////////////
this is the corresponding page:

<?php
include(“dbinfo.inc.php”);
$conn=@mysql_connect(localhost,$username,$password);
$rs=@mysql_select_db(“Library”) or die( “Unable to select database”);
$id=$_POST[‘bookid’];
$sql=“DELETE FROM books WHERE bookid =‘$id’”;
mysql_query($sql)or die("Delete Error: ".mysql_error());
mysql_close();
print "Record Removed.
";
?>

///////////////////////////////////
the error i receive once i click the submit button is:

Delete Error: Unknown column ‘bookid’ in ‘where clause’

I’ve shuffled the code around but still cant find the problem, not sure which line is at fault anymore lol. Any help would be much appreciated

thanks

there are no column named ‘bookid’ in the books table

You should make $id safe, with this code, for example

$id=mysql_real_escape_string($id);

the column in the books table is Book ID so should i take the space from the column in the table?

where would i enter then line $id=mysql_real_escape_string($id); ?

new to php programing …thanks for the help

thank you very much the delete page works now :slight_smile: could you explain the $id=mysql_real_escape_string($id); line please

thanks again

it’s a long story.
but you’ve already put ‘’ single quotes around $id in the query. but you did only half of the job. and and mysql_real_escape_string is the other half.
Together, ‘’ quotes and mysql_real_escape_string makes your variable safe and invulnerable to attacks or errors.
If separated, both these actions are useless. Both must be taken together. Forever.

For the numeric $id there is another way though.
Just
$id=int($id);
and no quotes.

so $sql=“DELETE FROM books WHERE BookID =$id=int($id)”; ?

No.

This is another long story. To distinguish SQL query from PHP code.
Many newbies don’t understand it.
Both code fragments I’ve posted are PHP code. And it has nothing to do in the SQL query

$id=int($id);
$sql=“DELETE FROM books WHERE BookID =$id”;