Page 1 of 1

passig variables through url

Posted: Mon Dec 04, 2006 3:40 pm
by angrypenguin
Hi all, I'm trying to pass a variable to a page using the following code:

Code: Select all

<a href="http://www.andyjessop.com/comments.php?postid=$link">
$link is a variable that I have taken from a database table.

I'm then trying to retrieve it using:

Code: Select all

mysql_query("SELECT * FROM comments WHERE postid=$link");
Can anyone see what's wrong with this?
You can take a look at the site, if you want, to see what happens when you click on a comments link.

Thanks,

Andy

Posted: Mon Dec 04, 2006 3:50 pm
by ok
First of all, highlight the syntax using [ p h p ] and [ / p h p ].

Secondly,

Code: Select all

<?php
$post_id = $_GET['post_id'];
mysql_query("SELECT * FROM `comments` WHERE `postid`=".$post_id); 
?>

Posted: Mon Dec 04, 2006 4:08 pm
by angrypenguin
thanks for that - unfortunately it still sends the whole phrase over (

Code: Select all

$link
). Is there a better way to do what I am attempting?

Thanks
Andy

Posted: Mon Dec 04, 2006 4:10 pm
by angrypenguin
The phrase was [ p h p ] $ l i n k [ / p h p ]
Thanks

Posted: Mon Dec 04, 2006 4:17 pm
by andym01480
Teaching Grandmother to suck eggs thing... But you are echoing the url within PHP tags?Otherwise the url would be

Code: Select all

http://www.andyjessop.com/comments.php?postid=$link
!

Code: Select all

<?php
echo "<a href=\"http://www.andyjessop.com/comments.php?postid=$link\"> Blah</a>";
?>

Then looking for the same variable. not post_id!!!

Code: Select all

<?php 
$postid = $_GET['postid']; 
$query="SELECT * FROM `comments` WHERE `postid`='$postid' ";
mysql_query($query); 
?>
The only danger is that people could change postid in the url to something naughty that damages your database.

Code: Select all

$postid=mysql_real_escape_string($_GET['postid']);
would be a safer start

Re: passig variables through url

Posted: Mon Dec 04, 2006 6:44 pm
by RobertGonzalez
comments_list.php

Code: Select all

<?php
$link = some_value_already_grabbed();
echo '<a href="http://www.andyjessop.com/comments.php?postid=' . $link . '">';
?>
comments.php

Code: Select all

<?php
 // YOU REALLY SHOULD VALIDATE THIS BEFORE QUERYING WITH IT
$link = isset($_GET['postid']) ? mysql_real_escape_string($_GET['postid']): (int) 0;

if ($link !== 0)
{
  mysql_query("SELECT * FROM comments WHERE postid=$link");
}
?>