Page 1 of 1

What am I missing?

Posted: Fri Oct 16, 2009 1:39 pm
by fried
I have a problem with this piece of code. The id in the Href works fine but it doesn't return anything when I use GET. I used the echo $id just to check and there appears to be nothing sent.

Code: Select all

$cmd=$_GET['cmd'];
$id=$_GET['id'];
if (isset($cmd))
{
if ($cmd=="change"){
        echo $id;
        $query = "SELECT category_name FROM gallery_category WHERE category_id= '".$id."'";
        $result = mysql_query($query) or die(mysql_error());
        $row = mysql_fetch_row($result);
 
        $sessiontheme = $row[0];
        echo $sessiontheme;
    }
}
 
$queryc = "SELECT category_id,category_name, valid FROM gallery_category";
$resultc = mysql_query($queryc) or die(mysql_error());
while ($rowc = mysql_fetch_array ($resultc)){
    
    if($rowc['valid']==1) {$sessiontheme = $rowc["category_name"];
    }
    else{   
            echo '<a href="latest.php?cmd=change&id ='.$rowc[0].'" name="'.$rowc[1].'" target="_self" >'.$rowc[1].''.$rowc[0].'</a><br/>';
    }
I'm sure I fundamentally misunderstand how something works. Thanks.

Re: What am I missing?

Posted: Fri Oct 16, 2009 1:50 pm
by John Cartwright
Try it without the whitespace after id, i.e.,

Code: Select all

echo '<a href="latest.php?cmd=change&id='.$rowc[0].'" name="'.$rowc[1].'" target="_self" >'.$rowc[1].''.$rowc[0].'</a><br/>';
Although, your script is vulnerable to SQL injection. You should consider casting your integer variables with (int) and/or pass all strings into the query through mysql_real_escape_string()

Re: What am I missing?

Posted: Fri Oct 16, 2009 3:44 pm
by fried
Thanks guys, rookie error :D