$_GET problem- passing 2 variables

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jimath
Forum Newbie
Posts: 7
Joined: Fri Sep 23, 2005 3:56 am

$_GET problem- passing 2 variables

Post by jimath »


Hi everyone. i would like your help on how i can pass TWO variables within one other page using the GET Argument.
There are 2 scripts. At the first maybe is invalid the line
<td align=center><a href=\"remove_from_students.php?id=$id_student am=$am \">DELETE</a></td>.
But i want to pass am variable too within remove_from_students.php.
what i need to do?

the first script:

Code: Select all

<?
include("ptyxiakidbinfo.php");
mysql_connect($host,$username , $password);
mysql_select_db($database) or die( "Unable to select database");

$get_list = ("SELECT id_student , f_name , l_name , am , typical_examino FROM student ORDER BY typical_examino " )  ;

$get_list_res = mysql_query($get_list) or die (mysql_error());


$display_block .= "
<table  celpadding=3 cellspacing=2 border=1 width=98%>
<tr>
<th>FNAME:</th>
<th>LNAME:</th>
<th>&#913;&#924;:</th>
<th>SEMESTER</th>
<th>ACTION</th>
<th>ACTION</th>
</tr>";

while ($line=mysql_fetch_array($get_list_res))
{
$id_student=$line["id_student"];
$f_name=$line["f_name"];
$l_name=$line["l_name"];
$am=$line["am"];
$typical_examino=$line["typical_examino"];

$display_block .= " <tr>
<td align=center>$f_name<br></td>
<td align=center>$l_name<br></td>
<td align=center>$am<br></td>
<td align=center>$typical_examino<br></td>
<td align=center><a href=\"remove_from_students.php ?id=$id_student am=$am \">DELETE</a></td>
<td align=center><a href=\"edit_from_students.php?id=$id_student\">CHANGE</a></td>
</tr>";
}
$display_block .= "</table>";

?>

<?
print $display_block;
print "<br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";
?>
the remove_from_students.php file:

Code: Select all

<?
include("ptyxiakidbinfo.php");
mysql_connect($host,$username , $password);
mysql_select_db($database) or die( "Unable to select database");


if  ($_GET[id]  != ""){


$delete_student = "DELETE   FROM student WHERE id_student =$_GET[id] ";

if (mysql_query($delete_student ) )
{
echo "THE LINE WAS DELETED! <br><br><a href=\"delete_edit_student.php\">RETURN TO EDIT</a><br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";

}else {
echo "THE LINE WAS NOT DELETED , ERROR!!<br><br><a href=\"delete_edit_student.php\">RETURN TO EDIT</a><br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";
}


  $delete_student_marks="DELETE FROM  students_marks  WHERE student_am =$_GET[am]";

  if (mysql_query($delete_student_marks ) )
{
echo "THE LINE WAS DELETED! <br><br><a href=\"delete_edit_student.php\">RETURN TO EDIT</a><br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";

}else {
echo "<br><br><a href=\"delete_edit_student.php\">THE LINE WAS NOT DELETED ,ERROR</a><br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";
}


}
?>
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

Code: Select all

<td align=center><a href=\"remove_from_students.php ?id=$id_student am=$am \">DELETE</a></td>
should be

Code: Select all

<td align=center><a href=\"remove_from_students.php?id=$id_student&am=$am \">DELETE</a></td>
use the & to seperate stuff in the get.


EDIT: that script looks very insecure, anyone can just go to remove_from_students.php and put in the url ?id=$id_student&am=$am where $id_student and $am is the students id and what am should be to remove a user.
jimath
Forum Newbie
Posts: 7
Joined: Fri Sep 23, 2005 3:56 am

insecure script

Post by jimath »

mickd wrote:

Code: Select all

<td align=center><a href="remove_from_students.php ?id=$id_student am=$am ">DELETE</a></td>
should be

Code: Select all

<td align=center><a href="remove_from_students.php?id=$id_student&am=$am ">DELETE</a></td>
use the & to seperate stuff in the get.


EDIT: that script looks very insecure, anyone can just go to remove_from_students.php and put in the url ?id=$id_student&am=$am where $id_student and $am is the students id and what am should be to remove a user.
Thanks.Now it works.
As for as the insecure of the script, i 'd be eager to follow your suggestions.
How i can achive this having my script secure too? can i hide the variables from the URL?
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

have a login script so you have to login to be able to even view the delete student stuff. and if someone manually enters it in then have it so if there is no session logged in set then the delete script will never be executed.

ps please don't [quote] everything you type, its very annoying trying to find your actual post and what is a actual quote
Post Reply