Page 1 of 1

Another question about URL-passed vars

Posted: Wed Nov 24, 2004 2:42 pm
by Wldrumstcs
Ok, I made a page showing a list of all the social studies teachers from my school. It basically displays info from a database. I created a link on each teachers name to a page called "view.php" that is specific to every teacher. To clarify, here is my script on the page "teachers.php":

Code: Select all

mysql_connect("localhost","$username","$password") or die ("Unable to connect to MySQL server."); 
$db = mysql_select_db("$database") or die ("Unable to select requested database.");

$result = mysql_query("select count(*) from teachers");
$number = mysql_result($result, 0);

$query="SELECT * FROM teachers ORDER BY id ASC";
$result=mysql_query($query);

$num=mysql_numrows($result);

mysql_close();

$i=0;
while ($i < $num) {
$id=mysql_result($result,$i,"id");
$username=mysql_result($result,$i,"username");
$subjects=mysql_result($result,$i,"subjects");
$phone=mysql_result($result,$i,"phone");
$email=mysql_result($result,$i,"email");

	echo "

			<tr>
				<td width='25%'>
				<p align='center'><a href="view.php?id=$id">$username</a></td>
				<td width='25%'>
				<p align='center'>$subjects</td>
				<td width='25%'>
				<p align='center'>$phone</td>
				<td width='25%'>
				<p align='center'><a href="mailto:$email?subject=School">$email</a></td>
			</tr>
			
			";
			$i++;
}
On the page that will display a teachers biography (view.php), I need to read what the $id variable is that was tacked onto the URL. For example, how would I read the $id if the URL= "http://***.com/view.php?id=1" Sorry if my question is confusing.

Posted: Wed Nov 24, 2004 2:44 pm
by rehfeld
echo $_GET['id'];

Posted: Wed Nov 24, 2004 2:50 pm
by Wldrumstcs
BRILLIANT. I feel sooooooooooo stupid. Thanks for the help!

Posted: Wed Nov 24, 2004 3:08 pm
by kral_majales
if you're page is on a publicly available site, i would recommend you validate the value of the $_GET['id'] variable, just in case :D

K

Posted: Wed Nov 24, 2004 10:44 pm
by josh
kral_majales wrote:if you're page is on a publicly available site, i would recommend you validate the value of the $_GET['id'] variable, just in case :D

K
like use addslashes() and htmlspecialchars()

(just telling him some usefull functions used for validateing inputs as he seems to be new to php)

Posted: Wed Nov 24, 2004 10:56 pm
by Wldrumstcs
what exactly would either of those two functions do? Also, what does it mean to validate the value of the variable? Thanks.

Posted: Thu Nov 25, 2004 8:42 am
by kral_majales
by 'validate' i mean that you need to check the variable to make sure it contains what you are looking for. you need to watch out for the 'script kiddies' who enjoy trying to break into your site and wreak havoc with everything.

type 'mysql injection' into google, as well as 'cross-site scripting' (abbreviated as XSS) and a whole host of security-related articles will pop up.

i find that writing working apps in php is pretty simple once you have the basics worked out - the time-consuming part tends to be making sure that your site is as 'safe' as it possibly can be. i'm not sure of the 'definitive' way to make a site as safe as possible, but perhaps some of the others here will be able to spell it out in some detail :D

K