Page 1 of 1

$_GET problem- passing 2 variables

Posted: Thu Sep 29, 2005 6:55 am
by jimath

Hi everyone. i would like your help on how i can pass TWO variables within one other page using the GET Argument.
There are 2 scripts. At the first maybe is invalid the line
<td align=center><a href=\"remove_from_students.php?id=$id_student am=$am \">DELETE</a></td>.
But i want to pass am variable too within remove_from_students.php.
what i need to do?

the first script:

Code: Select all

<?
include("ptyxiakidbinfo.php");
mysql_connect($host,$username , $password);
mysql_select_db($database) or die( "Unable to select database");

$get_list = ("SELECT id_student , f_name , l_name , am , typical_examino FROM student ORDER BY typical_examino " )  ;

$get_list_res = mysql_query($get_list) or die (mysql_error());


$display_block .= "
<table  celpadding=3 cellspacing=2 border=1 width=98%>
<tr>
<th>FNAME:</th>
<th>LNAME:</th>
<th>&#913;&#924;:</th>
<th>SEMESTER</th>
<th>ACTION</th>
<th>ACTION</th>
</tr>";

while ($line=mysql_fetch_array($get_list_res))
{
$id_student=$line["id_student"];
$f_name=$line["f_name"];
$l_name=$line["l_name"];
$am=$line["am"];
$typical_examino=$line["typical_examino"];

$display_block .= " <tr>
<td align=center>$f_name<br></td>
<td align=center>$l_name<br></td>
<td align=center>$am<br></td>
<td align=center>$typical_examino<br></td>
<td align=center><a href=\"remove_from_students.php ?id=$id_student am=$am \">DELETE</a></td>
<td align=center><a href=\"edit_from_students.php?id=$id_student\">CHANGE</a></td>
</tr>";
}
$display_block .= "</table>";

?>

<?
print $display_block;
print "<br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";
?>
the remove_from_students.php file:

Code: Select all

<?
include("ptyxiakidbinfo.php");
mysql_connect($host,$username , $password);
mysql_select_db($database) or die( "Unable to select database");


if  ($_GET[id]  != ""){


$delete_student = "DELETE   FROM student WHERE id_student =$_GET[id] ";

if (mysql_query($delete_student ) )
{
echo "THE LINE WAS DELETED! <br><br><a href=\"delete_edit_student.php\">RETURN TO EDIT</a><br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";

}else {
echo "THE LINE WAS NOT DELETED , ERROR!!<br><br><a href=\"delete_edit_student.php\">RETURN TO EDIT</a><br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";
}


  $delete_student_marks="DELETE FROM  students_marks  WHERE student_am =$_GET[am]";

  if (mysql_query($delete_student_marks ) )
{
echo "THE LINE WAS DELETED! <br><br><a href=\"delete_edit_student.php\">RETURN TO EDIT</a><br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";

}else {
echo "<br><br><a href=\"delete_edit_student.php\">THE LINE WAS NOT DELETED ,ERROR</a><br><br><a href=\"adminpage.html\">RETURN TO INDEX</a>";
}


}
?>

Posted: Thu Sep 29, 2005 7:00 am
by mickd

Code: Select all

<td align=center><a href=\"remove_from_students.php ?id=$id_student am=$am \">DELETE</a></td>
should be

Code: Select all

<td align=center><a href=\"remove_from_students.php?id=$id_student&am=$am \">DELETE</a></td>
use the & to seperate stuff in the get.


EDIT: that script looks very insecure, anyone can just go to remove_from_students.php and put in the url ?id=$id_student&am=$am where $id_student and $am is the students id and what am should be to remove a user.

insecure script

Posted: Thu Sep 29, 2005 7:26 am
by jimath
mickd wrote:

Code: Select all

<td align=center><a href="remove_from_students.php ?id=$id_student am=$am ">DELETE</a></td>
should be

Code: Select all

<td align=center><a href="remove_from_students.php?id=$id_student&am=$am ">DELETE</a></td>
use the & to seperate stuff in the get.


EDIT: that script looks very insecure, anyone can just go to remove_from_students.php and put in the url ?id=$id_student&am=$am where $id_student and $am is the students id and what am should be to remove a user.
Thanks.Now it works.
As for as the insecure of the script, i 'd be eager to follow your suggestions.
How i can achive this having my script secure too? can i hide the variables from the URL?

Posted: Thu Sep 29, 2005 7:29 am
by shiznatix
have a login script so you have to login to be able to even view the delete student stuff. and if someone manually enters it in then have it so if there is no session logged in set then the delete script will never be executed.

ps please don't [quote] everything you type, its very annoying trying to find your actual post and what is a actual quote