Forum Moderators: coopster
Having spent some time building sites using CFusion I have decided to migrate to PHP/MySql due mainly to hosting costs.
I have created a dynamic test site but cannot seem to find any info about simple dynamic text links.
Basically, at this stage, I want to display a list of dynamic textlinks on a page which when clicked upon will display the relevent data on a result page.
Having searched around I cannot find a "lesson" on how best to achieve this.
I know this seems daft but can somebody give me a few pointers please.
CF and PHP seem a million miles apart :(
Regards
Colin
PHP V 4.21 MySql V 3.23.39
Basically, get values from forms and parameters in url's come in via the array $_GET[]; post values in the array $_POST[].
I have a list of pages and content in a DB with a unique ID. I want to dynamically list the page titles in a menu bar with links to a result page.
This result page would then query the DB and return the data required to view that page dependant upon the variable passed in the link.
In CF I would just... (NO! I must stop making comparisons and learn afresh)
Regards
Colin
I have got thus far and now I am getting a headache with this.
<?php
$host = "localhost";
$user = "";
$pass = "";
$dbname = "talisman";
$connection = mysql_connect($host,$user,$pass) or die (mysql_errno().": ".mysql_error()."<BR>");
mysql_select_db($dbname);
$sql = "SELECT ID, title FROM tours";
$query = mysql_query($sql);
while ($row = mysql_fetch_array($query)) {
echo <p class='nav'>$row['title']; <a href="resultpage.php?id=<echo $row['ID'] ;">LINK</a></p>
}
?>
Am I on the right track here?
This gives a Parse error: parse error, unexpected '<', expecting ',' or ';'
TIA
Colin
The parse error is referring to your echo() [php.net] statement. You need to enclose any strings [php.net] in single or double quotation marks. Syntax using concatentation [php.net]:
echo '<p class="nav">' . $row['title'] . '<a href="resultpage.php?id=' . $row['ID'] . '">LINK</a></p>';
your parse error is because the echo line is not properly quoted, try this
echo "<p class='nav'>",$row['title']," <a href='resultpage.php?id=",$row['ID'],"'>LINK</a></p>";
Now all I have to do is figure out what I need on my result page :)
Do I treat the variable as though using the "post" method in a form?
Thanks again
Colin
I have got to this stage and need some help again.
<?php
$host = "localhost";
$user = "";
$pass = "";
$dbname = "talisman";
$connection = mysql_connect($host,$user,$pass) or die (mysql_errno().": ".mysql_error()."<BR>");
mysql_select_db($dbname);
$sql = "SELECT title, content FROM tours WHERE ID = $_GET 'ID'";
$query = mysql_query($sql);
while ($row = mysql_fetch_array($query)) {
echo $row['title']; "<BR>" echo $row['content'] ;
}
?>
Anywhere close? I think the $_GET 'ID' may be wrong but I cannot figure it out.
TIA
Colin
$sql = "SELECT title, content FROM tours WHERE ID = "$_GET['ID']";$_GET and $_POST are arrays [be2.php.net] - so the "name=" part in a form or the name of the parameter goes inside brackets - $_GET['like_this'] for example.com?like_this=6 .
second and third changes are for security to make sure nobody's going to go hacking your site.
second change:
$sql = "SELECT title, content FROM tours WHERE ID = "mysql_escape_string($_GET['ID'])";You want to use mysql_escape_string since the $_GET values are examples of 'user input'. All 'user input' can be manipulated into tricky stuff that can do nasty stuff to your query strings which can result in comprimising your database, and ultimately, your whole server, like adding quotes and extra query information.
You already have the value of the $_GET element surrounded by quotes. Great. Try to always do this.
third change:
if(get_magic_quotes_gpc()) $_GET['ID'] = stripslashes($_GET['ID']);$sql = "SELECT title, content FROM tours WHERE ID = "mysql_escape_string($_GET['ID'])"; // this line unchanged from 'second change' aboveThis is sort of a weird php thing, I won't go into it, but you need to check to see if magic_quotes_gpc is on, and strip slashes from any user input variables if it is first, before you escape the string. Basically php will be adding slashes to user variables when this is on and if this is the case, if your string is escaped again with mysql_escape_string, hackers can also do nasty stuff to you with certain tricks.
So now I have:
<?php
$host = "localhost";
$user = "";
$pass = "";
$dbname = "talisman";
$connection = mysql_connect($host,$user,$pass) or die (mysql_errno().": ".mysql_error()."<BR>");
mysql_select_db($dbname);
//$sql = "SELECT title, content FROM tours WHERE ID = "$_GET['ID']";
if(get_magic_quotes_gpc()) $_GET['ID'] = stripslashes($_GET['ID']);
$sql = "SELECT title, content FROM tours WHERE ID = "mysql_escape_string($_GET['ID'])";
$query = mysql_query($sql);
while ($row = mysql_fetch_array($query)) {
echo $row['title']; "<BR>" echo $row['content'] ;
}
?>
This results in:
Parse error: parse error, unexpected T_STRING in C:\Inetpub\wwwroot\resultpage.php on line 29
Regards
C
$sql = "SELECT title, content FROM tours WHERE ID = "mysql_escape_string($_GET['ID'])";
C
concatenators stick strings together like glue. Note that the double quote (") is between the single quotes - so this will be part of the query - at the end of the single-quoted string you have the concatenator (.) , then the function that acts on $_GET['ID'] - this isn't quoted - the part inside the [] (the 'key' of the array) is quoted, since this is another string. Then again single quotes for the last double quote. Those concatenators just sticking these parts all together.
Try 'echo $sql;' right after this line just to see how the query looks when it's all put together.
SELECT title, content FROM tours WHERE ID = ""
The rest of the page is blank, no errors.
magic_quotes is on by the way
Geez this is frustrating!
Mincklerstraat I changed your SQL to read:
$sql = "SELECT title, maintext FROM tours WHERE ID= ". $_GET['id'] ." ";
I hope this is good syntax?
Here is the full monty.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
linkpage.php
<?php
$host = "localhost";
$user = "";
$pass = "";
$dbname = "test";
$connection = mysql_connect($host,$user,$pass) or die (mysql_errno().": ".mysql_error()."<BR>");
mysql_select_db($dbname);
$sql = "SELECT ID, header FROM tours";
$query = mysql_query($sql);
while ($row = mysql_fetch_array($query)) {
echo "<p class='nav'>",$row['header']," <a href='resultpage.php?id=",$row['ID'],"'>LINK</a></p>";
}
?>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Resultpage.php
<?php
$host = "localhost";
$user = "";
$pass = "";
$dbname = "test";
$connection = mysql_connect($host,$user,$pass) or die (mysql_errno().": ".mysql_error()."<BR>");
mysql_select_db($dbname);
if(get_magic_quotes_gpc()) $_GET['ID'] = stripslashes($_GET['ID']);
$sql = "SELECT title, maintext FROM tours WHERE ID= ". $_GET['id'] ." ";
echo $sql;
$query = mysql_query($sql);
while ($row = mysql_fetch_array($query)) {echo $row['title']; echo $row['maintext'] ;
}
?>
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks to all
Colin
>> Is PHP always like this? Coldfusion is sooo simple in comparison.
hehe, you removed that now but I saw it, once you get a grip on the basics you won't remember why you used cfm at all.
Here's a couple links that cover some basics if you still have some trouble from the library [webmasterworld.com]
Basics of extracting data from MySQL using PHP [webmasterworld.com]
Help developing MySQL search query based on form input [webmasterworld.com]
I have done a bit more reading and finalised my SQL as this:
$sql = "SELECT title, maintext FROM tours WHERE ID= ". mysql_real_escape_string ($_GET['id']) ."";
It functions but can anybody tell me if it is correct?
Regards
Colin
seems to be an extra set of quotes in there, like so
$sql = "SELECT title, maintext FROM tours WHERE ID= ". mysql_real_escape_string ($_GET['id']);
You are so right, working on this late at night was prob not a good idea. (My excuse)
Thanks
C
