homepage Welcome to WebmasterWorld Guest from 54.167.249.155
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Passing variable to PHP query
gazm1




msg:4493485
 9:18 pm on Sep 10, 2012 (gmt 0)

Hi all

Newbie here so please be gentle.

Im sure this question has been asked 1,000's of times but I am really struggling being new to PHP & mysql and using code copied from a book.

All I want to is pass a variable from a url to a mysql query:

for_sale.php?id=1

id is the variable i want to pass to the SELECT command in caravan_details.php

I have the follwing in for_sale.php:

echo '<a class="caravan-moredetails" href="caravan_details.php?id=' .$row['id']. '">More information &raquo;</a>';

I want to pass id as an integer variable to caravan_details.php and im using the following SELECT query:


$id = $_GET['id']
$result = @mysql_query("SELECT * FROM caravans WHERE id='$id'");


I want to pass the variable direct from the URL, not using a form

PLEASE HELP!

Thank you :)

 

gazm1




msg:4493490
 9:26 pm on Sep 10, 2012 (gmt 0)

I should add, i dont get an error message when the script runs, I just dont get any records returned

swa66




msg:4493499
 9:39 pm on Sep 10, 2012 (gmt 0)

What code does the for_sale.php generate (view source in a browser) - is the number in there ?
-> if not: that's where you need to look at. E.g. do you have a column "id" (or did you name something id in the select statement)?

If that works, did you try to call
caravan_details.php?id=1 (presuming there's such a record in your database)
directly.

For the rest: I'd be extremely careful with this type of code: you really need to do strong input validation. Just image somebody would call is with a parameter containing 1';drop table caravans;' -> yeah: bye bye table.

For the rest:
- use the mysqli interface (note the i), not the mysql one (it is obsolete).
- use prepared statements (much easier to secure).

Depending on context:
- htmlencode your output to prevent problems with quotes, and tags (or at least xmlencode the 5 allowed entities.
- urlencoding might be needed as well.


Unfortunately 99% of books and tutorials do not teach security along with it all, leaving you extremely vulnerable - remmebr that the examples you rely on are very insecure and need a lot of work to become secure.

gazm1




msg:4493804
 2:35 pm on Sep 11, 2012 (gmt 0)

Thanks SAW66

At the moment, this is only running on my home PC and is a development site to help me get back into things so security, currently, is no real concern although thanks for the pointers and im sure they will come in handy soon!

With regards to the other bits, for_sale.php generates a basic list of all rows in table caravans and displays them on the page in id number order therefore the id field is already requested from the database when for_sale.php is loaded. It is then passed to caravan_details.php (a more detailed listing of whichever table row is selected) using the code in my first post.

Whilst the output is formatted almost correctly, no values appear in the fields as id is not being picked up from caravanid (or selected from the db correctly).

Hope that makes sense........?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved