pass username in a link!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
johnnymac131
Forum Newbie
Posts: 11
Joined: Sun Oct 28, 2007 11:51 am

pass username in a link!

Post by johnnymac131 »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I am recieveing this error. i am tryin to pass the username in a link so i can use it do delete from two tables this is how ive done it

Code: Select all

echo ("<p><h4>" . "<a href=editor.php?edit=" . $row['username']. ">" . $row['edit_fname'] . " " . $row['edit_lname'] . "</a>" . "</h4></p>");
it seems to be able to get the username ok, but in the next window im gettin this error. any ideas

Invalid query: Unknown column 'jmac232' in 'where clause' Whole query: SELECT * FROM editor WHERE username=jmac232

this is my query that is returning the error

Code: Select all

$edit = $_GET['edit'];
// Formulate Query
// This is the best way to perform a SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT * FROM editor WHERE username=" . $edit);

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: pass username in a link!

Post by Christopher »

You need quotes around the value in your where clause; you don't need sprintf; and you need to escape values you receive from untursted sources. I could recommend filtering the $_GET value using preg_replace() or equivalent.

Code: Select all

$edit = $_GET['edit'];
// Formulate Query
// This is the best way to perform a SQL query
// For more examples, see mysql_real_escape_string()
$query = "SELECT * FROM editor WHERE username='" . mysql_real_escape_string($edit) . "'";
(#10850)
johnnymac131
Forum Newbie
Posts: 11
Joined: Sun Oct 28, 2007 11:51 am

Post by johnnymac131 »

cheers for that works now.
Post Reply