php code

[vitorlucas]

<?php
include"conectdb.php";
$id = $_GET['id'];
$query = mysql_query("DELETE FROM fotos where id='$id'"); //command that deletes the record
echo "<script> window.location='listar.php'; </script>";
?>


Can anyone help me verify if this correct? I have a problem in receiving the "id" line 3!

thanks

[egami]

Code: Select all

<?php

include ('connectdb.php');

if (isset($_GET['id']) && $_GET['id'] == preg_replace('/[^0-9]/','',$_GET['id']))
{
  //VERY DANGEROUS..
  $id = $_GET['id']; // I can inject beautiful code here to really screw you over... so, better to do it this way
  $id = preg_replace('/[^0-9]/','',$_GET['id']); // yes, processor intense, but saves dolphins lives.
  // and actually, if you leave the above "IF" statement, you can remove the above line all together.

  $query = "DELETE FROM fotos WHERE id='$id'";
  //$result = mysql_query($query); // The actual query to call and delete.. Uncomment this when ready
  header("Location: listar.php");
} else { 
  echo "Either the ID was not submitted, or the ID was improperly formatted. Goodbye.";
}