Page 1 of 1

HELP with <table> data passing through <php> script in stran

Posted: Mon Jun 29, 2009 4:06 pm
by imimin
Are there any formatting problems in using _GET to pass <table>, <tr> and <td> from a database? I have the code below in a DB field (field name: 'desc' and the data type is TEXT):

Code: Select all

 
<table border="1" width="100%" cellpadding="1" cellspacing="1">
 <tr>
  <td align="left"> Size </td>
  <td align="left"> Small </td>
  <td align="left"> Medium </td>
  <td align="left">Large</td>
 </tr>
 <tr>
  <td align="left"> Garment<BR>Length (inches)</td>
  <td align="left">20</td>
  <td align="left">28</td>
  <td align="left">35(Not available in purple hibiscus or 100 Dollar Bill)</td>
 </tr>   
</table>
and using the following <php> code to pull the data from the DB and echo it:

Code: Select all

 
      <?php
       $cat = $_GET['cat'];
       $get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
      $get_items = mysql_query($get_items);
 
      echo "<CENTER>";
      echo "<TABLE WIDTH=\"90%\" CELLSPACING=\"10\">";
      echo "<TR>";
 
      $rowbreaks = 1;
      while($item_row = mysql_fetch_array($get_items)){
         $item_desc = $item_row['desc'];
         $item_url = $item_row['url'];
         $item_img = $item_row['img'];
         $item_prod_name = $item_row['prod_name'];
         $item_prod_code = $item_row['prod_code'];
         $item_retail = $item_row['retail'];
         $item_available_colors = $item_row['available_colors'];
         $item_available_sizes = $item_row['available_sizes'];
         $item_selected_style = $item_row['selected_style'];
         $item_selected_color = $item_row['selected_color'];
         $item_selected_size = $item_row['selected_size'];
         $item_weight = $item_row['weight'];
 
         echo "<TD class=\"preview-images\" VALIGN=\"top\" WIDTH=\"25%\">
               <CENTER><A HREF=\"$sitelocation" . "$item_url" . "?" . "item_desc=" . "$item_desc" . "&" ."item_prod_name=" . "$item_prod_name" . "&" ."item_available_colors=" . "$item_available_colors". "&" ."item_available_sizes=" . "$item_available_sizes". "&" ."item_retail=" . "$item_retail". "&" ."item_prod_code=" . "$item_prod_code". "&" . "item_img=" . "$item_img" . "&" ."item_selected_style=" . "$item_selected_style". "&" ."item_selected_color=" . "$item_selected_color". "&" . "item_selected_size=" . "$item_selected_size" . "&" . "item_weight=" . "$item_weight\">
               <IMG SRC=\"includes/img_resize3.php?src=$sitelocation$item_img&width=144&height=144&qua=50\" BORDER=\"0\"></A>
               <BR>
               <CENTER><A HREF=\"$sitelocation" . "$item_url" . "?" . "item_desc=" . "$item_desc" . "&" ."item_prod_name=" . "$item_prod_name" . "&" ."item_available_colors=" . "$item_available_colors". "&" ."item_available_sizes=" . "$item_available_sizes". "&" ."item_retail=" . "$item_retail". "&" ."item_prod_code=" . "$item_prod_code". "&" . "item_img=" . "$item_img" . "&" ."item_selected_style=" . "$item_selected_style". "&" ."item_selected_color=" . "$item_selected_color". "&" . "item_selected_size=" . "$item_selected_size" . "&" . "item_weight=" . "$item_weight\">view details/order</A>
 
               <center><b>$item_prod_name</b></center>
               <HR width=80%>
               ".substr($item_desc,0,85)."...
               <BR><BR>
               $item_prod_code
               <BR>
               <B>$item_retail</B></P>
               <BR></TD>";
 
         if($rowbreaks == 4){
            echo "</TR><TR>";
            $rowbreaks = 0;
         }
 
         $rowbreaks++;
      }
 
      echo "</TR>";
      echo "</TABLE>";
      echo "</CENTER>";
 
   ?>
The problem is for some reason the TABLE data minus the tags (<table>,<tr> and <td>) is echoing along with all the HREF data starting with "item_prod_name=" ??? I checked to see if the 'substr' function may be causing the problem, but that is working perfectly. It has something to do with passing the <table> data from the data base field to the web page.

Thank you for your help!

Re: HELP with <table> data passing through <php> script in stran

Posted: Mon Jun 29, 2009 7:00 pm
by danielrs1
Use this changed code:

Code: Select all

 
<?php
$cat = $_GET['cat'];
$get_items = "SELECT * FROM poj_products WHERE cat='".mysql_real_escape_string($cat)."'";
$get_items = mysql_query($get_items);
 
echo '<table width="90%" celspacing="10" style="margin-left:auto; margin-right:auto;"><tr>';
 
$rowbreaks = 1;
while($item_row = mysql_fetch_array($get_items)){
  $item_desc = $item_row['desc'];
  $item_url = $item_row['url'];
  $item_img = $item_row['img'];
  $item_prod_name = $item_row['prod_name'];
  $item_prod_code = $item_row['prod_code'];
  $item_retail = $item_row['retail'];
  $item_available_colors = $item_row['available_colors'];
  $item_available_sizes = $item_row['available_sizes'];
  $item_selected_style = $item_row['selected_style'];
  $item_selected_color = $item_row['selected_color'];
  $item_selected_size = $item_row['selected_size'];
  $item_weight = $item_row['weight'];
 
  echo '<td class="preview-images" valign="top" width="25%">
  <p style="text-align:center;"><a href="' . $sitelocation . $item_url . '?item_desc=' . urlencode($item_desc) . '&item_prod_name=' . urlencode($item_prod_name) . '&item_available_colors=' . urlencode($item_available_colors). '&item_available_sizes=' . urlencode($item_available_sizes). '&item_retail=' . urlencode($item_retail) . '&item_prod_code=' . urlencode($item_prod_code). '&item_img=' . urlencode($item_img) . '&item_selected_style=' . urlencode($item_selected_style) . '&item_selected_color=' . urlencode($item_selected_color) . '&item_selected_size=' . urlencode($item_selected_size) . '&item_weight=' . urlencode($item_weight) . '">
  <img src="includes/img_resize3.php?src=' . $sitelocation . $item_img . '&width=144&height=144&qua=50" border="0"></a>
  <br />
  <a href="' . $sitelocation . $item_url . '?item_desc=' . urlencode($item_desc) . '&item_prod_name=' . urlencode($item_prod_name) . '&item_available_colors=' . urlencode($item_available_colors). '&item_available_sizes=' . urlencode($item_available_sizes). '&item_retail=' . urlencode($item_retail) . '&item_prod_code=' . urlencode($item_prod_code). '&item_img=' . urlencode($item_img) . '&item_selected_style=' . urlencode($item_selected_style) . '&item_selected_color=' . urlencode($item_selected_color) . '&item_selected_size=' . urlencode($item_selected_size) . '&item_weight=' . urlencode($item_weight) . '">view details/order</a>
 
  <b>' . $item_prod_name . '</b>
  <hr width=80%>
  '.substr($item_desc,0,85).'...
  <br /><br />
  ' . $item_prod_code . '
  <br />
  <b>$item_retail</b></p>
  </td>';
 
  if($rowbreaks == 4){
    echo "</tr><tr>";
    $rowbreaks = 0;
  }
 
  $rowbreaks++;
}
   echo '</tr></table></center>';
?>
 
I didn't test the changes, but everything should be working.

Re: HELP with <table> data passing through <php> script in stran

Posted: Mon Jun 29, 2009 7:03 pm
by danielrs1
McInfo wrote:
  • Why do you need to pass HTML in a URL? That opens up a cross-site scripting vulnerability.
There's no HTML on URL...

Re: HELP with <table> data passing through <php> script in stran

Posted: Mon Jun 29, 2009 7:08 pm
by BornForCode
And always remember that get has a maximum length of 2083 for Internet Explorer for example characters so passing a table ....

Re: HELP with <table> data passing through <php> script in stran

Posted: Mon Jun 29, 2009 7:42 pm
by BornForCode
I feel myself defeated by your code, why you assign variables instead of using them as they are?
And why you send such information over GET? Imagine that the description may have some length (the initial one which is not trimmed). Is easier just to send the id of the product and in that page you load product description.

Here you load a lot of information, this is ok, but for God sake do not send it over get :banghead:

Instead of that try the following code (or make adjustments to have something similar), look how simple and easy to understand is:

Code: Select all

 
<?php
        $cat = $_GET['cat'];
        $get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
        $get_items = mysql_query($get_items);       
        echo '<center><table width="90%" cellspacing="10"><tr>';        
        while($item_row = mysql_fetch_array($get_items)){       
            ?>
            <td class ="preview-images" valign="top" width="25%">
                <center>
                    <?php
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
                    echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
                    
                    echo '<b>'.$item_row['prod_name'].'</b>';
                    echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
                    echo $item_row['prod_code'].'<br/><br/>';
                    echo $item_row['retail'].'<br/>';
                    ?>
                </center>
            </td>
            <?
            // split at every 4 products
            if(($rowbreaks%4) == 0)
            echo '</tr><tr>';
            $rowbreaks++;      
        } 
      echo "</tr></table></center>";
 

Re: HELP with <table> data passing through <php> script in stran

Posted: Mon Jun 29, 2009 7:52 pm
by imimin
Thank you for your input!
McInfo wrote:The quick fix is to use urlencode(), but I think there are other design issues that need to be addressed.
  • Why do you need to pass HTML in a URL? That opens up a cross-site scripting vulnerability.
  • The query is vulnerable to SQL injection.
Edit: Misspelled "depricated".
How would YOU pass the information to the next page? I understand you can just pass an ID and query the DB on the next page, but I am not sure how to do that? Do you mind giving me the syntax for that?

Also, why do you say that my query is vulnerable to SQL injection? What does that mean and how can I avoid it?

I appreciate your help! I am trying to learn this stuff and appreciate any help I can get.

Thanks!

Re: HELP with <table> data passing through <php> script in stran

Posted: Mon Jun 29, 2009 7:55 pm
by BornForCode
mysql_escape_string($value)
mysql_real_escape_string($value)

Re: HELP with <table> data passing through <php> script in stran

Posted: Thu Jul 02, 2009 10:22 pm
by imimin
BornForCode wrote:

Code: Select all

 
<?php
        $cat = $_GET['cat'];
        $get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
        $get_items = mysql_query($get_items);       
        echo '<center><table width="90%" cellspacing="10"><tr>';        
        while($item_row = mysql_fetch_array($get_items)){       
            ?>
            <td class ="preview-images" valign="top" width="25%">
                <center>
                    <?php
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
                    echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
                    
                    echo '<b>'.$item_row['prod_name'].'</b>';
                    echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
                    echo $item_row['prod_code'].'<br/><br/>';
                    echo $item_row['retail'].'<br/>';
                    ?>
                </center>
            </td>
            <?
            // split at every 4 products
            if(($rowbreaks%4) == 0)
            echo '</tr><tr>';
            $rowbreaks++;      
        } 
      echo "</tr></table></center>";
 
Is the syntax correct in the anchor tag above?:

Code: Select all

                   echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
                    echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
Particularly "?item_desc='.$item_row['id']"

Is this how you are supposed to use an id and query the db on the next page? Does not seem to work?

Re: HELP with <table> data passing through <php> script in stran

Posted: Fri Jul 03, 2009 1:21 pm
by BornForCode
Yes but in the page where that link drives you, you will access variable with $_GET['id']. Anyway you should check what is the parimary key on your table and that one you should pass (perhaps is not id, as it is in my example)

Re: HELP with <table> data passing through <php> script in stran

Posted: Fri Jul 03, 2009 7:06 pm
by imimin
BornForCode wrote:

Code: Select all

 
<?php
        $cat = $_GET['cat'];
        $get_items = "SELECT * FROM poj_products WHERE cat='$cat'";
        $get_items = mysql_query($get_items);       
        echo '<center><table width="90%" cellspacing="10"><tr>';        
        while($item_row = mysql_fetch_array($get_items)){       
            ?>
            <td class ="preview-images" valign="top" width="25%">
                <center>
                    <?php
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>';
                    echo '<img src="includes/img_resize3.php?src='.$sitelocation.$item_row['img'].'" border=0/><br/>';
                    echo '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.$item_row['id'].'>view details/order</a>';
                    
                    echo '<b>'.$item_row['prod_name'].'</b>';
                    echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
                    echo $item_row['prod_code'].'<br/><br/>';
                    echo $item_row['retail'].'<br/>';
                    ?>
                </center>
            </td>
            <?
            // split at every 4 products
            if(($rowbreaks%4) == 0)
            echo '</tr><tr>';
            $rowbreaks++;      
        } 
      echo "</tr></table></center>";
 
Shouldn't this code be:

Code: Select all

<?php
         $id = $_GET['id'];
         $get_items = "SELECT * FROM poj_products WHERE id='$id'";
         $get_items = mysql_query($get_items);
         echo '<center><table width="90%" cellspacing="10"><tr>';
          $rowbreaks = 1;
         while($item_row = mysql_fetch_array($get_items)){
             ?>
             <td class ="preview-images" valign="top" width="25%">
                 <center>
                     <?php
                        echo
                            '<a href="'.$sitelocation.$item_row['url'].'?item_desc='.'$item_row['id']'<img src="includes/img_resize3.php?src='.$sitelocation.$item_img.'&width=144&height=144&qua=50" border="0">'view details/order</a>';
 
                     echo '<b>'.$item_row['prod_name'].'</b>';
                     echo '<hr width="80%">'.substr($item_row['desc'],0,85).' ....<br/><br/>';
                     echo $item_row['prod_code'].'<br/><br/>';
                     echo $item_row['retail'].'<br/>';
                     ?>
                 </center>
             </td>
             <?php
             // split at every 4 products
             if(($rowbreaks%4) == 0)
             echo '</tr><tr>';
             $rowbreaks++;
         }
       echo "</tr></table></center>";
       ?>
I am primarily asking about lines 2 and 3???