select from table using url variable

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

select from table using url variable

Post by YoussefSiblini »

Hi,
I am trying to select from the table but I am not sure to include the $_GET['trackID'] in the select query.
If I use this code below I get error:

Code: Select all

mysql_query( "SELECT * FROM antiques WHERE track_ID = '$_GET['trackID']'");
but If I use the actual trackID number from the table it work:

Code: Select all

mysql_query( "SELECT * FROM antiques WHERE track_ID = '23' ");
So I think I am not including $_GET['trackID'] correctly in the select query .


Youssef
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: select from table using url variable

Post by AbraCadaver »

Well, first, that is very unsafe as the user could pass anytrhing in as the trackID. So force it to the type you need. Also, look here for why you get an error: http://www.php.net/manual/en/language.types.string.php

Code: Select all

$id = (int)$_GET['trackID'];
mysql_query( "SELECT * FROM antiques WHERE track_ID = '$id'");
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: select from table using url variable

Post by YoussefSiblini »

Hi Thanks,
The thing is that it not an int it is going to be some thing like this: 4UkGETIT.
I tried to put it in a variable first and but that variable inside the select query and I am getting the same error.

Youssef
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: select from table using url variable

Post by AbraCadaver »

YoussefSiblini wrote:Hi Thanks,
The thing is that it not an int it is going to be some thing like this: 4UkGETIT.
Then at least use mysql_real_escape_string() on it. But your example showed an INT.
I tried to put it in a variable first and but that variable inside the select query and I am getting the same error.
What error?
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: select from table using url variable

Post by YoussefSiblini »

OK I confused you there sorry,
Here is the full code,

Code: Select all

   $trackID = $_GET['trackID'];
   include 'includes/ALL.php'; 
   		  $sql_added_Swaps = mysql_query( "SELECT * FROM antiques WHERE track_ID = '$trackID'"); 

		  $productCount = mysql_num_rows($sql_added_Swaps);
		       if ($productCount > 0) 
			   {
				    while($row = mysql_fetch_array($sql_added_Swaps))
				    {
					   	$id = $row["id"];
			            $track_ID = $row["track_ID"];
			            $producttittle = $row["producttittle"];
			            $productdescription = $row["productdescription"];
			             //what is he expecting in return

						 $dateadded = $row["dateadded"];
						 echo $email;
					}
			   }
			   else
			   {
				   echo"Didn't work";
			   }
The error I am getting is: Didn't word , Which I echoed it. It is not picking the variable value which is 4UkGETIT. If I use this value instead it work fine.

Don't worry about the security stuff I want to fix this problem first and I am going to secure it after this.


Youssef
Last edited by YoussefSiblini on Mon Sep 26, 2011 5:22 pm, edited 1 time in total.
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: select from table using url variable

Post by AbraCadaver »

Well then $_GET['trackID'] is empty or not set. How do you access this page?
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: select from table using url variable

Post by YoussefSiblini »

If I echoed the $trackID it show that it is picking it.
Overall:
There are 2 pages:
First page where the url is :

Code: Select all

<a href="edit.php?country=' . $swaptakeplace . '&table= ' . $Category . '&trackID= ' . $track_ID . '">Edit</a>
Second page:

Code: Select all

if (isset($_GET['country'])) 
{
   $country = $_GET['country'];
   $table = $_GET['table'];
   $trackID = $_GET['trackID'];
   $trackID = $_GET['trackID'];
   echo $trackID;
   include 'includes/ALL.php'; 
   		  $sql_added_Swaps = mysql_query( "SELECT * FROM antiques WHERE track_ID = '$trackID'"); 

		  $productCount = mysql_num_rows($sql_added_Swaps);
		       if ($productCount > 0) 
			   {
				    while($row = mysql_fetch_array($sql_added_Swaps))
				    {
					   	$id = $row["id"];
			            $track_ID = $row["track_ID"];
			            $producttittle = $row["producttittle"];
			            $productdescription = $row["productdescription"];
			             //what is he expecting in return
			             $ExchangeWithTittle = $row["ExchangeWithTittle"];
			             $ExchangeWithDescription = $row["ExchangeWithDescription"];
			             //Info about the owner of the already added product
			             $firstname = $row["firstname"];
			             $city = $row["city"];
			             $country = $row["country"];
			             $postalcode = $row["postalcode"];
			             $email = $row["email"];
			             $Category = $row["Category"];// what table is it in
			             $swaptakeplace = $row["swaptakeplace"];
						 $dateadded = $row["dateadded"];
						 echo $email;
					}
			   }
			   else
			   {
				   echo"<br/>Didn't work";
			   }

}
else
{
	echo "You need to click";
}
Which will give a result of:

4UkGETIT
Didn't work

You need a username and a password to enter the page.



Youssef
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: select from table using url variable

Post by AbraCadaver »

After the query try:

Code: Select all

if(!$sql_added_Swaps) {
   echo mysql_error();
}
Also, when developing you should turn on error reporting for all of your pages:

Code: Select all

error_reporting(E_ALL);
ini_set('display_errors', '1');
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: select from table using url variable

Post by YoussefSiblini »

Thank you for your help, I gave up at using the url variables and I used form instead to pass the variables which worked fine :)
YoussefSiblini
Forum Contributor
Posts: 206
Joined: Thu Jul 21, 2011 1:51 pm

Re: select from table using url variable

Post by YoussefSiblini »

Hi AbraCadaver,
I just wanted to ask you one more thing, is this secure enough:

Code: Select all

$trackID = $_POST['trackID'];	
              $trackID = preg_replace('#[/]#i', '', $trackID); // replace / with no thing
              $trackID = preg_replace('#[$]#i', '', $trackID); // replace $ with no thing
              $trackID = str_replace("#", '', $trackID); // replace # with no thing
              $trackID = str_replace("^", "try", $trackID); 
              $trackID = preg_replace('#[*]#i', '', $trackID); // replace * with no thing
              $trackID = preg_replace('#[&]#i', '', $trackID); // replace & with no thing

Youssef
Post Reply