HELP with <table> data passing through <php> script in stran

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
imimin
Forum Commoner
Posts: 38
Joined: Thu Oct 18, 2007 5:44 pm

HELP with <table> data passing through <php> script in stran

Post by imimin »

Are there any formatting problems in using _GET to pass <table>, <tr> and <td> from a database? I have the code below in a DB field (field name: 'desc' and the data type is TEXT):

Code: Select all

 
<table border="1" width="100%" cellpadding="1" cellspacing="1">
 <tr>
  <td align="left"> Size </td>
  <td align="left"> Small </td>
  <td align="left"> Medium </td>
  <td align="left">Large</td>
 </tr>
 <tr>
  <td align="left"> Garment<BR>Length (inches)</td>
  <td align="left">20</td>
  <td align="left">28</td>
  <td align="left">35(Not available in purple hibiscus or 100 Dollar Bill)</td>
 </tr>   
</table>
and using the following <php> code to pull the data from the DB and echo it:

Code: Select all

 
      <?php
       $cat = $_GET['cat'];
       $get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
      $get_items = mysql_query($get_items);
 
      echo "<CENTER>";
      echo "<TABLE WIDTH=\"90%\" CELLSPACING=\"10\">";
      echo "<TR>";
 
      $rowbreaks = 1;
      while($item_row = mysql_fetch_array($get_items)){
         $item_desc = $item_row['desc'];
         $item_url = $item_row['url'];
         $item_img = $item_row['img'];
         $item_prod_name = $item_row['prod_name'];
         $item_prod_code = $item_row['prod_code'];
         $item_retail = $item_row['retail'];
         $item_available_colors = $item_row['available_colors'];
         $item_available_sizes = $item_row['available_sizes'];
         $item_selected_style = $item_row['selected_style'];
         $item_selected_color = $item_row['selected_color'];
         $item_selected_size = $item_row['selected_size'];
         $item_weight = $item_row['weight'];
 
         echo "<TD class=\"preview-images\" VALIGN=\"top\" WIDTH=\"25%\">
               <CENTER><A HREF=\"$sitelocation" . "$item_url" . "?" . "item_desc=" . "$item_desc" . "&" ."item_prod_name=" . "$item_prod_name" . "&" ."item_available_colors=" . "$item_available_colors". "&" ."item_available_sizes=" . "$item_available_sizes". "&" ."item_retail=" . "$item_retail". "&" ."item_prod_code=" . "$item_prod_code". "&" . "item_img=" . "$item_img" . "&" ."item_selected_style=" . "$item_selected_style". "&" ."item_selected_color=" . "$item_selected_color". "&" . "item_selected_size=" . "$item_selected_size" . "&" . "item_weight=" . "$item_weight\">
               <IMG SRC=\"includes/img_resize3.php?src=$sitelocation$item_img&width=144&height=144&qua=50\" BORDER=\"0\"></A>
               <BR>
               <CENTER><A HREF=\"$sitelocation" . "$item_url" . "?" . "item_desc=" . "$item_desc" . "&" ."item_prod_name=" . "$item_prod_name" . "&" ."item_available_colors=" . "$item_available_colors". "&" ."item_available_sizes=" . "$item_available_sizes". "&" ."item_retail=" . "$item_retail". "&" ."item_prod_code=" . "$item_prod_code". "&" . "item_img=" . "$item_img" . "&" ."item_selected_style=" . "$item_selected_style". "&" ."item_selected_color=" . "$item_selected_color". "&" . "item_selected_size=" . "$item_selected_size" . "&" . "item_weight=" . "$item_weight\">view details/order</A>
 
               <center><b>$item_prod_name</b></center>
               <HR width=80%>
               ".substr($item_desc,0,85)."...
               <BR><BR>
               $item_prod_code
               <BR>
               <B>$item_retail</B></P>
               <BR></TD>";
 
         if($rowbreaks == 4){
            echo "</TR><TR>";
            $rowbreaks = 0;
         }
 
         $rowbreaks++;
      }
 
      echo "</TR>";
      echo "</TABLE>";
      echo "</CENTER>";
 
   ?>
The problem is for some reason the TABLE data minus the tags (<table>,<tr> and <td>) is echoing along with all the HREF data starting with "item_prod_name=" ??? I checked to see if the 'substr' function may be causing the problem, but that is working perfectly. It has something to do with passing the <table> data from the data base field to the web page.

Thank you for your help!
Last edited by Benjamin on Tue Jun 30, 2009 12:01 am, edited 1 time in total.
Reason: Added [code=php] tags.
danielrs1
Forum Commoner
Posts: 29
Joined: Wed Jun 24, 2009 5:30 pm

Re: HELP with <table> data passing through <php> script in stran

Post by danielrs1 »

Use this changed code:

Code: Select all

 
<?php
$cat = $_GET['cat'];
$get_items = "SELECT * FROM poj_products WHERE cat='".mysql_real_escape_string($cat)."'";
$get_items = mysql_query($get_items);
 
echo '<table width="90%" celspacing="10" style="margin-left:auto; margin-right:auto;"><tr>';
 
$rowbreaks = 1;
while($item_row = mysql_fetch_array($get_items)){
  $item_desc = $item_row['desc'];
  $item_url = $item_row['url'];
  $item_img = $item_row['img'];
  $item_prod_name = $item_row['prod_name'];
  $item_prod_code = $item_row['prod_code'];
  $item_retail = $item_row['retail'];
  $item_available_colors = $item_row['available_colors'];
  $item_available_sizes = $item_row['available_sizes'];
  $item_selected_style = $item_row['selected_style'];
  $item_selected_color = $item_row['selected_color'];
  $item_selected_size = $item_row['selected_size'];
  $item_weight = $item_row['weight'];
 
  echo '<td class="preview-images" valign="top" width="25%">
  <p style="text-align:center;"><a href="' . $sitelocation . $item_url . '?item_desc=' . urlencode($item_desc) . '&item_prod_name=' . urlencode($item_prod_name) . '&item_available_colors=' . urlencode($item_available_colors). '&item_available_sizes=' . urlencode($item_available_sizes). '&item_retail=' . urlencode($item_retail) . '&item_prod_code=' . urlencode($item_prod_code). '&item_img=' . urlencode($item_img) . '&item_selected_style=' . urlencode($item_selected_style) . '&item_selected_color=' . urlencode($item_selected_color) . '&item_selected_size=' . urlencode($item_selected_size) . '&item_weight=' . urlencode($item_weight) . '">
  <img src="includes/img_resize3.php?src=' . $sitelocation . $item_img . '&width=144&height=144&qua=50" border="0"></a>
  <br />
  <a href="' . $sitelocation . $item_url . '?item_desc=' . urlencode($item_desc) . '&item_prod_name=' . urlencode($item_prod_name) . '&item_available_colors=' . urlencode($item_available_colors). '&item_available_sizes=' . urlencode($item_available_sizes). '&item_retail=' . urlencode($item_retail) . '&item_prod_code=' . urlencode($item_prod_code). '&item_img=' . urlencode($item_img) . '&item_selected_style=' . urlencode($item_selected_style) . '&item_selected_color=' . urlencode($item_selected_color) . '&item_selected_size=' . urlencode($item_selected_size) . '&item_weight=' . urlencode($item_weight) . '">view details/order</a>
 
  <b>' . $item_prod_name . '</b>
  <hr width=80%>
  '.substr($item_desc,0,85).'...
  <br /><br />
  ' . $item_prod_code . '
  <br />
  <b>$item_retail</b></p>
  </td>';
 
  if($rowbreaks == 4){
    echo "</tr><tr>";
    $rowbreaks = 0;
  }
 
  $rowbreaks++;
}
   echo '</tr></table></center>';
?>
 
I didn't test the changes, but everything should be working.
danielrs1
Forum Commoner
Posts: 29
Joined: Wed Jun 24, 2009 5:30 pm

Re: HELP with <table> data passing through <php> script in stran

Post by danielrs1 »

McInfo wrote:
  • Why do you need to pass HTML in a URL? That opens up a cross-site scripting vulnerability.
There's no HTML on URL...
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: HELP with <table> data passing through <php> script in stran

Post by BornForCode »

And always remember that get has a maximum length of 2083 for Internet Explorer for example characters so passing a table ....
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: HELP with <table> data passing through <php> script in stran

Post by BornForCode »

I feel myself defeated by your code, why you assign variables instead of using them as they are?
And why you send such information over GET? Imagine that the description may have some length (the initial one which is not trimmed). Is easier just to send the id of the product and in that page you load product description.

Here you load a lot of information, this is ok, but for God sake do not send it over get :banghead:

Instead of that try the following code (or make adjustments to have something similar), look how simple and easy to understand is:

Code: Select all

 
<?php
        $cat = $_GET['cat'];
        $get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
        $get_items = mysql_query($get_items);       
        echo '<center><table width="90%" cellspacing="10"><tr>';        
        while($item_row = mysql_fetch_array($get_items)){       
            ?>
            <td class ="preview-images" valign="top" width="25%">
                <center>
                    <?php
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
                    echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
                    
                    echo '<b>'.$item_row['prod_name'].'</b>';
                    echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
                    echo $item_row['prod_code'].'<br/><br/>';
                    echo $item_row['retail'].'<br/>';
                    ?>
                </center>
            </td>
            <?
            // split at every 4 products
            if(($rowbreaks%4) == 0)
            echo '</tr><tr>';
            $rowbreaks++;      
        } 
      echo "</tr></table></center>";
 
Last edited by Benjamin on Tue Jun 30, 2009 12:01 am, edited 2 times in total.
Reason: Added [code=php] tags.
imimin
Forum Commoner
Posts: 38
Joined: Thu Oct 18, 2007 5:44 pm

Re: HELP with <table> data passing through <php> script in stran

Post by imimin »

Thank you for your input!
McInfo wrote:The quick fix is to use urlencode(), but I think there are other design issues that need to be addressed.
  • Why do you need to pass HTML in a URL? That opens up a cross-site scripting vulnerability.
  • The query is vulnerable to SQL injection.
Edit: Misspelled "depricated".
How would YOU pass the information to the next page? I understand you can just pass an ID and query the DB on the next page, but I am not sure how to do that? Do you mind giving me the syntax for that?

Also, why do you say that my query is vulnerable to SQL injection? What does that mean and how can I avoid it?

I appreciate your help! I am trying to learn this stuff and appreciate any help I can get.

Thanks!
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: HELP with <table> data passing through <php> script in stran

Post by BornForCode »

mysql_escape_string($value)
mysql_real_escape_string($value)
imimin
Forum Commoner
Posts: 38
Joined: Thu Oct 18, 2007 5:44 pm

Re: HELP with <table> data passing through <php> script in stran

Post by imimin »

BornForCode wrote:

Code: Select all

 
<?php
        $cat = $_GET['cat'];
        $get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
        $get_items = mysql_query($get_items);       
        echo '<center><table width="90%" cellspacing="10"><tr>';        
        while($item_row = mysql_fetch_array($get_items)){       
            ?>
            <td class ="preview-images" valign="top" width="25%">
                <center>
                    <?php
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
                    echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
                    
                    echo '<b>'.$item_row['prod_name'].'</b>';
                    echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
                    echo $item_row['prod_code'].'<br/><br/>';
                    echo $item_row['retail'].'<br/>';
                    ?>
                </center>
            </td>
            <?
            // split at every 4 products
            if(($rowbreaks%4) == 0)
            echo '</tr><tr>';
            $rowbreaks++;      
        } 
      echo "</tr></table></center>";
 
Is the syntax correct in the anchor tag above?:

Code: Select all

                   echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
                    echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
Particularly "?item_desc='.$item_row['id']"

Is this how you are supposed to use an id and query the db on the next page? Does not seem to work?
BornForCode
Forum Contributor
Posts: 147
Joined: Mon Feb 11, 2008 1:56 am

Re: HELP with <table> data passing through <php> script in stran

Post by BornForCode »

Yes but in the page where that link drives you, you will access variable with $_GET['id']. Anyway you should check what is the parimary key on your table and that one you should pass (perhaps is not id, as it is in my example)
imimin
Forum Commoner
Posts: 38
Joined: Thu Oct 18, 2007 5:44 pm

Re: HELP with <table> data passing through <php> script in stran

Post by imimin »

BornForCode wrote:

Code: Select all

 
<?php
        $cat = $_GET['cat'];
        $get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
        $get_items = mysql_query($get_items);       
        echo '<center><table width="90%" cellspacing="10"><tr>';        
        while($item_row = mysql_fetch_array($get_items)){       
            ?>
            <td class ="preview-images" valign="top" width="25%">
                <center>
                    <?php
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
                    echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
                    
                    echo '<b>'.$item_row['prod_name'].'</b>';
                    echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
                    echo $item_row['prod_code'].'<br/><br/>';
                    echo $item_row['retail'].'<br/>';
                    ?>
                </center>
            </td>
            <?
            // split at every 4 products
            if(($rowbreaks%4) == 0)
            echo '</tr><tr>';
            $rowbreaks++;      
        } 
      echo "</tr></table></center>";
 
Shouldn't this code be:

Code: Select all

<?php
         $id = $_GET['id'];
         $get_items = "SELECT * FROM poj_products WHERE id='$id'";
         $get_items = mysql_query($get_items);
         echo '<center><table width="90%" cellspacing="10"><tr>';
          $rowbreaks = 1;
         while($item_row = mysql_fetch_array($get_items)){
             ?>
             <td class ="preview-images" valign="top" width="25%">
                 <center>
                     <?php
                        echo
                            '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.'$item_row['id']'<img src="includes/img_resize3.php?src='.$sitelocation.$item_img.'&width=144&height=144&qua=50" border="0">'view details/order</a>';
 
                     echo '<b>'.$item_row['prod_name'].'</b>';
                     echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
                     echo $item_row['prod_code'].'<br/><br/>';
                     echo $item_row['retail'].'<br/>';
                     ?>
                 </center>
             </td>
             <?php
             // split at every 4 products
             if(($rowbreaks%4) == 0)
             echo '</tr><tr>';
             $rowbreaks++;
         }
       echo "</tr></table></center>";
       ?>
I am primarily asking about lines 2 and 3???
Post Reply