PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
imimin
Forum Commoner
Posts: 38 Joined: Thu Oct 18, 2007 5:44 pm
Post
by imimin » Mon Jun 29, 2009 4:06 pm
Are there any formatting problems in using _GET to pass <table>, <tr> and <td> from a database? I have the code below in a DB field (field name: 'desc' and the data type is TEXT):
Code: Select all
<table border="1" width="100%" cellpadding="1" cellspacing="1">
<tr>
<td align="left"> Size </td>
<td align="left"> Small </td>
<td align="left"> Medium </td>
<td align="left">Large</td>
</tr>
<tr>
<td align="left"> Garment<BR>Length (inches)</td>
<td align="left">20</td>
<td align="left">28</td>
<td align="left">35(Not available in purple hibiscus or 100 Dollar Bill)</td>
</tr>
</table>
and using the following <php> code to pull the data from the DB and echo it:
Code: Select all
<?php
$cat = $_GET['cat'];
$get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
$get_items = mysql_query($get_items);
echo "<CENTER>";
echo "<TABLE WIDTH=\"90%\" CELLSPACING=\"10\">";
echo "<TR>";
$rowbreaks = 1;
while($item_row = mysql_fetch_array($get_items)){
$item_desc = $item_row['desc'];
$item_url = $item_row['url'];
$item_img = $item_row['img'];
$item_prod_name = $item_row['prod_name'];
$item_prod_code = $item_row['prod_code'];
$item_retail = $item_row['retail'];
$item_available_colors = $item_row['available_colors'];
$item_available_sizes = $item_row['available_sizes'];
$item_selected_style = $item_row['selected_style'];
$item_selected_color = $item_row['selected_color'];
$item_selected_size = $item_row['selected_size'];
$item_weight = $item_row['weight'];
echo "<TD class=\"preview-images\" VALIGN=\"top\" WIDTH=\"25%\">
<CENTER><A HREF=\"$sitelocation" . "$item_url" . "?" . "item_desc=" . "$item_desc" . "&" ."item_prod_name=" . "$item_prod_name" . "&" ."item_available_colors=" . "$item_available_colors". "&" ."item_available_sizes=" . "$item_available_sizes". "&" ."item_retail=" . "$item_retail". "&" ."item_prod_code=" . "$item_prod_code". "&" . "item_img=" . "$item_img" . "&" ."item_selected_style=" . "$item_selected_style". "&" ."item_selected_color=" . "$item_selected_color". "&" . "item_selected_size=" . "$item_selected_size" . "&" . "item_weight=" . "$item_weight\">
<IMG SRC=\"includes/img_resize3.php?src=$sitelocation$item_img&width=144&height=144&qua=50\" BORDER=\"0\"></A>
<BR>
<CENTER><A HREF=\"$sitelocation" . "$item_url" . "?" . "item_desc=" . "$item_desc" . "&" ."item_prod_name=" . "$item_prod_name" . "&" ."item_available_colors=" . "$item_available_colors". "&" ."item_available_sizes=" . "$item_available_sizes". "&" ."item_retail=" . "$item_retail". "&" ."item_prod_code=" . "$item_prod_code". "&" . "item_img=" . "$item_img" . "&" ."item_selected_style=" . "$item_selected_style". "&" ."item_selected_color=" . "$item_selected_color". "&" . "item_selected_size=" . "$item_selected_size" . "&" . "item_weight=" . "$item_weight\">view details/order</A>
<center><b>$item_prod_name</b></center>
<HR width=80%>
".substr($item_desc,0,85)."...
<BR><BR>
$item_prod_code
<BR>
<B>$item_retail</B></P>
<BR></TD>";
if($rowbreaks == 4){
echo "</TR><TR>";
$rowbreaks = 0;
}
$rowbreaks++;
}
echo "</TR>";
echo "</TABLE>";
echo "</CENTER>";
?>
The problem is for some reason the TABLE data minus the tags (<table>,<tr> and <td>) is echoing along with all the HREF data starting with "item_prod_name=" ??? I checked to see if the 'substr' function may be causing the problem, but that is working perfectly. It has something to do with passing the <table> data from the data base field to the web page.
Thank you for your help!
Last edited by
Benjamin on Tue Jun 30, 2009 12:01 am, edited 1 time in total.
Reason: Added [code=php] tags.
danielrs1
Forum Commoner
Posts: 29 Joined: Wed Jun 24, 2009 5:30 pm
Post
by danielrs1 » Mon Jun 29, 2009 7:00 pm
Use this changed code:
Code: Select all
<?php
$cat = $_GET['cat'];
$get_items = "SELECT * FROM poj_products WHERE cat='".mysql_real_escape_string($cat)."'";
$get_items = mysql_query($get_items);
echo '<table width="90%" celspacing="10" style="margin-left:auto; margin-right:auto;"><tr>';
$rowbreaks = 1;
while($item_row = mysql_fetch_array($get_items)){
$item_desc = $item_row['desc'];
$item_url = $item_row['url'];
$item_img = $item_row['img'];
$item_prod_name = $item_row['prod_name'];
$item_prod_code = $item_row['prod_code'];
$item_retail = $item_row['retail'];
$item_available_colors = $item_row['available_colors'];
$item_available_sizes = $item_row['available_sizes'];
$item_selected_style = $item_row['selected_style'];
$item_selected_color = $item_row['selected_color'];
$item_selected_size = $item_row['selected_size'];
$item_weight = $item_row['weight'];
echo '<td class="preview-images" valign="top" width="25%">
<p style="text-align:center;"><a href="' . $sitelocation . $item_url . '?item_desc=' . urlencode($item_desc) . '&item_prod_name=' . urlencode($item_prod_name) . '&item_available_colors=' . urlencode($item_available_colors). '&item_available_sizes=' . urlencode($item_available_sizes). '&item_retail=' . urlencode($item_retail) . '&item_prod_code=' . urlencode($item_prod_code). '&item_img=' . urlencode($item_img) . '&item_selected_style=' . urlencode($item_selected_style) . '&item_selected_color=' . urlencode($item_selected_color) . '&item_selected_size=' . urlencode($item_selected_size) . '&item_weight=' . urlencode($item_weight) . '">
<img src="includes/img_resize3.php?src=' . $sitelocation . $item_img . '&width=144&height=144&qua=50" border="0"></a>
<br />
<a href="' . $sitelocation . $item_url . '?item_desc=' . urlencode($item_desc) . '&item_prod_name=' . urlencode($item_prod_name) . '&item_available_colors=' . urlencode($item_available_colors). '&item_available_sizes=' . urlencode($item_available_sizes). '&item_retail=' . urlencode($item_retail) . '&item_prod_code=' . urlencode($item_prod_code). '&item_img=' . urlencode($item_img) . '&item_selected_style=' . urlencode($item_selected_style) . '&item_selected_color=' . urlencode($item_selected_color) . '&item_selected_size=' . urlencode($item_selected_size) . '&item_weight=' . urlencode($item_weight) . '">view details/order</a>
<b>' . $item_prod_name . '</b>
<hr width=80%>
'.substr($item_desc,0,85).'...
<br /><br />
' . $item_prod_code . '
<br />
<b>$item_retail</b></p>
</td>';
if($rowbreaks == 4){
echo "</tr><tr>";
$rowbreaks = 0;
}
$rowbreaks++;
}
echo '</tr></table></center>';
?>
I didn't test the changes, but everything should be working.
danielrs1
Forum Commoner
Posts: 29 Joined: Wed Jun 24, 2009 5:30 pm
Post
by danielrs1 » Mon Jun 29, 2009 7:03 pm
McInfo wrote:
Why do you need to pass HTML in a URL? That opens up a cross-site scripting vulnerability.
There's no HTML on URL...
BornForCode
Forum Contributor
Posts: 147 Joined: Mon Feb 11, 2008 1:56 am
Post
by BornForCode » Mon Jun 29, 2009 7:08 pm
And always remember that get has a maximum length of 2083 for Internet Explorer for example characters so passing a table ....
BornForCode
Forum Contributor
Posts: 147 Joined: Mon Feb 11, 2008 1:56 am
Post
by BornForCode » Mon Jun 29, 2009 7:42 pm
I feel myself defeated by your code, why you assign variables instead of using them as they are?
And why you send such information over GET? Imagine that the description may have some length (the initial one which is not trimmed). Is easier just to send the id of the product and in that page you load product description.
Here you load a lot of information, this is ok, but for God sake do not send it over get
Instead of that try the following code (or make adjustments to have something similar), look how simple and easy to understand is:
Code: Select all
<?php
$cat = $_GET['cat'];
$get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
$get_items = mysql_query($get_items);
echo '<center><table width="90%" cellspacing="10"><tr>';
while($item_row = mysql_fetch_array($get_items)){
?>
<td class ="preview-images" valign="top" width="25%">
<center>
<?php
echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
echo '<b>'.$item_row['prod_name'].'</b>';
echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
echo $item_row['prod_code'].'<br/><br/>';
echo $item_row['retail'].'<br/>';
?>
</center>
</td>
<?
// split at every 4 products
if(($rowbreaks%4) == 0)
echo '</tr><tr>';
$rowbreaks++;
}
echo "</tr></table></center>";
Last edited by
Benjamin on Tue Jun 30, 2009 12:01 am, edited 2 times in total.
Reason: Added [code=php] tags.
imimin
Forum Commoner
Posts: 38 Joined: Thu Oct 18, 2007 5:44 pm
Post
by imimin » Mon Jun 29, 2009 7:52 pm
Thank you for your input!
McInfo wrote: The quick fix is to use
urlencode() , but I think there are other design issues that need to be addressed.
Why do you need to pass HTML in a URL? That opens up a cross-site scripting vulnerability.
The query is vulnerable to SQL injection.
Edit: Misspelled "depricated".
How would YOU pass the information to the next page? I understand you can just pass an ID and query the DB on the next page, but I am not sure how to do that? Do you mind giving me the syntax for that?
Also, why do you say that my query is vulnerable to SQL injection? What does that mean and how can I avoid it?
I appreciate your help! I am trying to learn this stuff and appreciate any help I can get.
Thanks!
BornForCode
Forum Contributor
Posts: 147 Joined: Mon Feb 11, 2008 1:56 am
Post
by BornForCode » Mon Jun 29, 2009 7:55 pm
mysql_escape_string($value)
mysql_real_escape_string($value)
imimin
Forum Commoner
Posts: 38 Joined: Thu Oct 18, 2007 5:44 pm
Post
by imimin » Thu Jul 02, 2009 10:22 pm
BornForCode wrote:
Code: Select all
<?php
$cat = $_GET['cat'];
$get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
$get_items = mysql_query($get_items);
echo '<center><table width="90%" cellspacing="10"><tr>';
while($item_row = mysql_fetch_array($get_items)){
?>
<td class ="preview-images" valign="top" width="25%">
<center>
<?php
echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
echo '<b>'.$item_row['prod_name'].'</b>';
echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
echo $item_row['prod_code'].'<br/><br/>';
echo $item_row['retail'].'<br/>';
?>
</center>
</td>
<?
// split at every 4 products
if(($rowbreaks%4) == 0)
echo '</tr><tr>';
$rowbreaks++;
}
echo "</tr></table></center>";
Is the syntax correct in the anchor tag above?:
Code: Select all
echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
Particularly "?item_desc='.$item_row['id']"
Is this how you are supposed to use an id and query the db on the next page? Does not seem to work?
BornForCode
Forum Contributor
Posts: 147 Joined: Mon Feb 11, 2008 1:56 am
Post
by BornForCode » Fri Jul 03, 2009 1:21 pm
Yes but in the page where that link drives you, you will access variable with $_GET['id']. Anyway you should check what is the parimary key on your table and that one you should pass (perhaps is not id, as it is in my example)
imimin
Forum Commoner
Posts: 38 Joined: Thu Oct 18, 2007 5:44 pm
Post
by imimin » Fri Jul 03, 2009 7:06 pm
BornForCode wrote:
Code: Select all
<?php
$cat = $_GET['cat'];
$get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
$get_items = mysql_query($get_items);
echo '<center><table width="90%" cellspacing="10"><tr>';
while($item_row = mysql_fetch_array($get_items)){
?>
<td class ="preview-images" valign="top" width="25%">
<center>
<?php
echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
echo '<b>'.$item_row['prod_name'].'</b>';
echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
echo $item_row['prod_code'].'<br/><br/>';
echo $item_row['retail'].'<br/>';
?>
</center>
</td>
<?
// split at every 4 products
if(($rowbreaks%4) == 0)
echo '</tr><tr>';
$rowbreaks++;
}
echo "</tr></table></center>";
Shouldn't this code be:
Code: Select all
<?php
$id = $_GET['id'];
$get_items = "SELECT * FROM poj_products WHERE id='$id'";
$get_items = mysql_query($get_items);
echo '<center><table width="90%" cellspacing="10"><tr>';
$rowbreaks = 1;
while($item_row = mysql_fetch_array($get_items)){
?>
<td class ="preview-images" valign="top" width="25%">
<center>
<?php
echo
'<a href="'.$sitelocation.$item_row['url'].'?item_desc='.'$item_row['id']'<img src="includes/img_resize3.php?src='.$sitelocation.$item_img.'&width=144&height=144&qua=50" border="0">'view details/order</a>';
echo '<b>'.$item_row['prod_name'].'</b>';
echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
echo $item_row['prod_code'].'<br/><br/>';
echo $item_row['retail'].'<br/>';
?>
</center>
</td>
<?php
// split at every 4 products
if(($rowbreaks%4) == 0)
echo '</tr><tr>';
$rowbreaks++;
}
echo "</tr></table></center>";
?>
I am primarily asking about lines 2 and 3???