Page 1 of 1

pass username in a link!

Posted: Sun Oct 28, 2007 11:30 pm
by johnnymac131
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I am recieveing this error. i am tryin to pass the username in a link so i can use it do delete from two tables this is how ive done it

Code: Select all

echo ("<p><h4>" . "<a href=editor.php?edit=" . $row['username']. ">" . $row['edit_fname'] . " " . $row['edit_lname'] . "</a>" . "</h4></p>");
it seems to be able to get the username ok, but in the next window im gettin this error. any ideas

Invalid query: Unknown column 'jmac232' in 'where clause' Whole query: SELECT * FROM editor WHERE username=jmac232

this is my query that is returning the error

Code: Select all

$edit = $_GET['edit'];
// Formulate Query
// This is the best way to perform a SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT * FROM editor WHERE username=" . $edit);

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Re: pass username in a link!

Posted: Mon Oct 29, 2007 12:28 am
by Christopher
You need quotes around the value in your where clause; you don't need sprintf; and you need to escape values you receive from untursted sources. I could recommend filtering the $_GET value using preg_replace() or equivalent.

Code: Select all

$edit = $_GET['edit'];
// Formulate Query
// This is the best way to perform a SQL query
// For more examples, see mysql_real_escape_string()
$query = "SELECT * FROM editor WHERE username='" . mysql_real_escape_string($edit) . "'";

Posted: Mon Oct 29, 2007 12:38 am
by johnnymac131
cheers for that works now.