$_GET used in URL to select MySQL table - fetch array error

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Jim_cliff11
Forum Newbie
Posts: 7
Joined: Mon Nov 03, 2003 7:05 am

$_GET used in URL to select MySQL table - fetch array error

Post by Jim_cliff11 »

Good evening,

I'm using PHP and MySQL to code up my new site, however difficulties beyond my knowledge or something small I have missed are causing nightmares!
I have used the $_GET function to catch the name of the specified MySQL table in the URL.... For example: index.php?table=home. The code below is what i'm using:

Code: Select all

<?php
if (!$_GET["table"]) {
  $_GET["table"] = "home";
}
$content = $_GET["table"];
if (!file_exists($content)) {
  $content = "404";
}
?>
In order to troubleshoot this I inserted an echo $content function which simpley kept displaying "404" whatever the passed value. This makes me think there is a problem with the above code not capturing the correct value. Just to be sure I've inserted the code below in which I'm using to display the contents of the specified table.

Code: Select all

<?php
	echo '<font face="Verdana, Arial, Helvetica, sans-serif">' . $content .'</font>';
	
	require_once("config/db.php");
	$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!");
	mysql_select_db($db) or die ("Unable to select database!");
	
	$sql = "select `id`, `context` from $content"; 
	$rslt = mysql_query($sql);
	
	while ($result = mysql_fetch_array($rslt) )
	{     
     $output = wordwrap($result['context'], 100);	 
     echo '<font face="Verdana, Arial, Helvetica, sans-serif">' . $output .'</font>';
	}
	
	?>
Note: If I remove the $content variable from the SQL line and add the actual table name the text is displayed as stored in the table correctly.

Ignoring the echo $content function the page gives me the "Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /wwwroot/...../index.php on line 59" error.

Can anyone point me in the right direction here?
Many thanks,
Jim
Eric!
DevNet Resident
Posts: 1146
Joined: Sun Jun 14, 2009 3:13 pm

Re: $_GET used in URL to select MySQL table - fetch array er

Post by Eric! »

So $content is an actual file that exists on your server in the same directory as this script? If not, then you'll always get a 404 error. file_exists() is looking for a file not a database table.

I would have to say that $content probably is not set to what you think it is if your query fails, but forcing $content="home"; works.

Also this is a really unsafe way of allowing any user to directly access your database via the URL. I would not put any user data directly into a SQL query because you're asking for trouble. A simple way to limit this would be to have an array of valid table names say $table[0]="home" $table[1]="contacts". Then in the query _GET["table"] looks for a number like 0. Then it pulls the table name out of your array. If the requested number is not inside your $table array, then ignore the request.
Post Reply