This question already has an answer here:
Here is the query:
$table = $_GET['type'];
$q="DELETE FROM '$table' WHERE cont_id='".$_GET['where']."'";
I also tried removing the single/double quotes on the $_GET part, but didn't work. I'm printing the values of my variables before executing the query and they are right so I don't think that's the problem.
Any ideas?
</div>
分享 Database table names should not be enclosed with single quotes.
Corrected SQL:
$q="DELETE FROM $table WHERE cont_id='".$_GET['where']."'";
Tables and field names can be enclosed with backticks (`) to avoid clashes with
In that case, corrected SQL should be:
$q="DELETE FROM `$table` WHERE `cont_id` = '".$_GET['where']."'";
Also, do not trust input from user.
This can cause security vulnerability.
use mysqli_real_escape_string() for $_GET['where']
分享
