Can't pass a string in the GET function

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
kalp1200
Forum Newbie
Posts: 19
Joined: Tue Aug 26, 2008 8:57 pm

Can't pass a string in the GET function

Post by kalp1200 »

Hi,

I am linking a search page to and Add page. The attributes would be copied from the selected record to another table. I have created my search page using the primary key id - this id is in varchar. I could get my code working ( the code below shows the GET function used. However, the code is only working when the id is INT, how do I get it to accept strings..

include ('connect.php');
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM administrator WHERE Admin_ID=$id");
$row = mysql_fetch_array($result);
Mark Baker
Forum Regular
Posts: 710
Joined: Thu Oct 30, 2008 6:24 pm

Re: Can't pass a string in the GET function

Post by Mark Baker »

String values need to be quoted in SQL

Code: Select all

 
$result = mysql_query("SELECT * FROM administrator WHERE Admin_ID='$id'");
 
You're passing a string via GET, which might contain spaces, quotation marks or other unusual characters, so you might need to use urldecode before embedding it in your SQL.

And don't forget to escape it to prevent SQL Injection
User avatar
Syntac
Forum Contributor
Posts: 327
Joined: Sun Sep 14, 2008 7:59 pm

Re: Can't pass a string in the GET function

Post by Syntac »

Mark Baker wrote:You're passing a string via GET, which might contain spaces, quotation marks or other unusual characters, so you might need to use urldecode before embedding it in your SQL.
$_GET variables are automatically URL-decoded. Any half-decent user agent automatically URL-encodes everything, so I don't think this is necessary.

And yes, you should always escape your SQL.
Post Reply