Page 1 of 1

select from table using url variable

Posted: Mon Sep 12, 2011 7:23 am
by YoussefSiblini
Hi,
I am trying to select from the table but I am not sure to include the $_GET['trackID'] in the select query.
If I use this code below I get error:

Code: Select all

mysql_query( "SELECT * FROM antiques WHERE track_ID = '$_GET['trackID']'");
but If I use the actual trackID number from the table it work:

Code: Select all

mysql_query( "SELECT * FROM antiques WHERE track_ID = '23' ");
So I think I am not including $_GET['trackID'] correctly in the select query .


Youssef

Re: select from table using url variable

Posted: Mon Sep 12, 2011 10:06 am
by AbraCadaver
Well, first, that is very unsafe as the user could pass anytrhing in as the trackID. So force it to the type you need. Also, look here for why you get an error: http://www.php.net/manual/en/language.types.string.php

Code: Select all

$id = (int)$_GET['trackID'];
mysql_query( "SELECT * FROM antiques WHERE track_ID = '$id'");

Re: select from table using url variable

Posted: Mon Sep 12, 2011 10:09 am
by YoussefSiblini
Hi Thanks,
The thing is that it not an int it is going to be some thing like this: 4UkGETIT.
I tried to put it in a variable first and but that variable inside the select query and I am getting the same error.

Youssef

Re: select from table using url variable

Posted: Mon Sep 12, 2011 10:13 am
by AbraCadaver
YoussefSiblini wrote:Hi Thanks,
The thing is that it not an int it is going to be some thing like this: 4UkGETIT.
Then at least use mysql_real_escape_string() on it. But your example showed an INT.
I tried to put it in a variable first and but that variable inside the select query and I am getting the same error.
What error?

Re: select from table using url variable

Posted: Mon Sep 12, 2011 10:55 am
by YoussefSiblini
OK I confused you there sorry,
Here is the full code,

Code: Select all

   $trackID = $_GET['trackID'];
   include 'includes/ALL.php'; 
   		  $sql_added_Swaps = mysql_query( "SELECT * FROM antiques WHERE track_ID = '$trackID'"); 

		  $productCount = mysql_num_rows($sql_added_Swaps);
		       if ($productCount > 0) 
			   {
				    while($row = mysql_fetch_array($sql_added_Swaps))
				    {
					   	$id = $row["id"];
			            $track_ID = $row["track_ID"];
			            $producttittle = $row["producttittle"];
			            $productdescription = $row["productdescription"];
			             //what is he expecting in return

						 $dateadded = $row["dateadded"];
						 echo $email;
					}
			   }
			   else
			   {
				   echo"Didn't work";
			   }
The error I am getting is: Didn't word , Which I echoed it. It is not picking the variable value which is 4UkGETIT. If I use this value instead it work fine.

Don't worry about the security stuff I want to fix this problem first and I am going to secure it after this.


Youssef

Re: select from table using url variable

Posted: Mon Sep 12, 2011 11:00 am
by AbraCadaver
Well then $_GET['trackID'] is empty or not set. How do you access this page?

Re: select from table using url variable

Posted: Mon Sep 12, 2011 11:16 am
by YoussefSiblini
If I echoed the $trackID it show that it is picking it.
Overall:
There are 2 pages:
First page where the url is :

Code: Select all

<a href="edit.php?country=' . $swaptakeplace . '&table= ' . $Category . '&trackID= ' . $track_ID . '">Edit</a>
Second page:

Code: Select all

if (isset($_GET['country'])) 
{
   $country = $_GET['country'];
   $table = $_GET['table'];
   $trackID = $_GET['trackID'];
   $trackID = $_GET['trackID'];
   echo $trackID;
   include 'includes/ALL.php'; 
   		  $sql_added_Swaps = mysql_query( "SELECT * FROM antiques WHERE track_ID = '$trackID'"); 

		  $productCount = mysql_num_rows($sql_added_Swaps);
		       if ($productCount > 0) 
			   {
				    while($row = mysql_fetch_array($sql_added_Swaps))
				    {
					   	$id = $row["id"];
			            $track_ID = $row["track_ID"];
			            $producttittle = $row["producttittle"];
			            $productdescription = $row["productdescription"];
			             //what is he expecting in return
			             $ExchangeWithTittle = $row["ExchangeWithTittle"];
			             $ExchangeWithDescription = $row["ExchangeWithDescription"];
			             //Info about the owner of the already added product
			             $firstname = $row["firstname"];
			             $city = $row["city"];
			             $country = $row["country"];
			             $postalcode = $row["postalcode"];
			             $email = $row["email"];
			             $Category = $row["Category"];// what table is it in
			             $swaptakeplace = $row["swaptakeplace"];
						 $dateadded = $row["dateadded"];
						 echo $email;
					}
			   }
			   else
			   {
				   echo"<br/>Didn't work";
			   }

}
else
{
	echo "You need to click";
}
Which will give a result of:

4UkGETIT
Didn't work

You need a username and a password to enter the page.



Youssef

Re: select from table using url variable

Posted: Mon Sep 12, 2011 12:09 pm
by AbraCadaver
After the query try:

Code: Select all

if(!$sql_added_Swaps) {
   echo mysql_error();
}
Also, when developing you should turn on error reporting for all of your pages:

Code: Select all

error_reporting(E_ALL);
ini_set('display_errors', '1');

Re: select from table using url variable

Posted: Mon Sep 12, 2011 12:41 pm
by YoussefSiblini
Thank you for your help, I gave up at using the url variables and I used form instead to pass the variables which worked fine :)

Re: select from table using url variable

Posted: Tue Sep 13, 2011 7:42 am
by YoussefSiblini
Hi AbraCadaver,
I just wanted to ask you one more thing, is this secure enough:

Code: Select all

$trackID = $_POST['trackID'];	
              $trackID = preg_replace('#[/]#i', '', $trackID); // replace / with no thing
              $trackID = preg_replace('#[$]#i', '', $trackID); // replace $ with no thing
              $trackID = str_replace("#", '', $trackID); // replace # with no thing
              $trackID = str_replace("^", "try", $trackID); 
              $trackID = preg_replace('#[*]#i', '', $trackID); // replace * with no thing
              $trackID = preg_replace('#[&]#i', '', $trackID); // replace & with no thing

Youssef