Page 1 of 1
passig variables through url
Posted: Mon Dec 04, 2006 3:40 pm
by angrypenguin
Hi all, I'm trying to pass a variable to a page using the following code:
Code: Select all
<a href="http://www.andyjessop.com/comments.php?postid=$link">
$link is a variable that I have taken from a database table.
I'm then trying to retrieve it using:
Code: Select all
mysql_query("SELECT * FROM comments WHERE postid=$link");
Can anyone see what's wrong with this?
You can take a look at the site, if you want, to see what happens when you click on a comments link.
Thanks,
Andy
Posted: Mon Dec 04, 2006 3:50 pm
by ok
First of all, highlight the syntax using [ p h p ] and [ / p h p ].
Secondly,
Code: Select all
<?php
$post_id = $_GET['post_id'];
mysql_query("SELECT * FROM `comments` WHERE `postid`=".$post_id);
?>
Posted: Mon Dec 04, 2006 4:08 pm
by angrypenguin
thanks for that - unfortunately it still sends the whole phrase over (
). Is there a better way to do what I am attempting?
Thanks
Andy
Posted: Mon Dec 04, 2006 4:10 pm
by angrypenguin
The phrase was [ p h p ] $ l i n k [ / p h p ]
Thanks
Posted: Mon Dec 04, 2006 4:17 pm
by andym01480
Teaching Grandmother to suck eggs thing... But you are echoing the url within PHP tags?Otherwise the url would be
Code: Select all
http://www.andyjessop.com/comments.php?postid=$link
!
Code: Select all
<?php
echo "<a href=\"http://www.andyjessop.com/comments.php?postid=$link\"> Blah</a>";
?>
Then looking for the same variable. not post_id!!!
Code: Select all
<?php
$postid = $_GET['postid'];
$query="SELECT * FROM `comments` WHERE `postid`='$postid' ";
mysql_query($query);
?>
The only danger is that people could change postid in the url to something naughty that damages your database.
Code: Select all
$postid=mysql_real_escape_string($_GET['postid']);
would be a safer start
Re: passig variables through url
Posted: Mon Dec 04, 2006 6:44 pm
by RobertGonzalez
comments_list.php
Code: Select all
<?php
$link = some_value_already_grabbed();
echo '<a href="http://www.andyjessop.com/comments.php?postid=' . $link . '">';
?>
comments.php
Code: Select all
<?php
// YOU REALLY SHOULD VALIDATE THIS BEFORE QUERYING WITH IT
$link = isset($_GET['postid']) ? mysql_real_escape_string($_GET['postid']): (int) 0;
if ($link !== 0)
{
mysql_query("SELECT * FROM comments WHERE postid=$link");
}
?>