passig variables through url

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
angrypenguin
Forum Newbie
Posts: 5
Joined: Sun Dec 03, 2006 3:12 pm

passig variables through url

Post by angrypenguin »

Hi all, I'm trying to pass a variable to a page using the following code:

Code: Select all

<a href="http://www.andyjessop.com/comments.php?postid=$link">
$link is a variable that I have taken from a database table.

I'm then trying to retrieve it using:

Code: Select all

mysql_query("SELECT * FROM comments WHERE postid=$link");
Can anyone see what's wrong with this?
You can take a look at the site, if you want, to see what happens when you click on a comments link.

Thanks,

Andy
User avatar
ok
Forum Contributor
Posts: 393
Joined: Wed May 31, 2006 9:20 am
Location: The Holy Land

Post by ok »

First of all, highlight the syntax using [ p h p ] and [ / p h p ].

Secondly,

Code: Select all

<?php
$post_id = $_GET['post_id'];
mysql_query("SELECT * FROM `comments` WHERE `postid`=".$post_id); 
?>
angrypenguin
Forum Newbie
Posts: 5
Joined: Sun Dec 03, 2006 3:12 pm

Post by angrypenguin »

thanks for that - unfortunately it still sends the whole phrase over (

Code: Select all

$link
). Is there a better way to do what I am attempting?

Thanks
Andy
angrypenguin
Forum Newbie
Posts: 5
Joined: Sun Dec 03, 2006 3:12 pm

Post by angrypenguin »

The phrase was [ p h p ] $ l i n k [ / p h p ]
Thanks
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Post by andym01480 »

Teaching Grandmother to suck eggs thing... But you are echoing the url within PHP tags?Otherwise the url would be

Code: Select all

http://www.andyjessop.com/comments.php?postid=$link
!

Code: Select all

<?php
echo "<a href=\"http://www.andyjessop.com/comments.php?postid=$link\"> Blah</a>";
?>

Then looking for the same variable. not post_id!!!

Code: Select all

<?php 
$postid = $_GET['postid']; 
$query="SELECT * FROM `comments` WHERE `postid`='$postid' ";
mysql_query($query); 
?>
The only danger is that people could change postid in the url to something naughty that damages your database.

Code: Select all

$postid=mysql_real_escape_string($_GET['postid']);
would be a safer start
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: passig variables through url

Post by RobertGonzalez »

comments_list.php

Code: Select all

<?php
$link = some_value_already_grabbed();
echo '<a href="http://www.andyjessop.com/comments.php?postid=' . $link . '">';
?>
comments.php

Code: Select all

<?php
 // YOU REALLY SHOULD VALIDATE THIS BEFORE QUERYING WITH IT
$link = isset($_GET['postid']) ? mysql_real_escape_string($_GET['postid']): (int) 0;

if ($link !== 0)
{
  mysql_query("SELECT * FROM comments WHERE postid=$link");
}
?>
Post Reply