Page 1 of 1

Can't pass a string in the GET function

Posted: Mon Dec 22, 2008 11:33 pm
by kalp1200
Hi,

I am linking a search page to and Add page. The attributes would be copied from the selected record to another table. I have created my search page using the primary key id - this id is in varchar. I could get my code working ( the code below shows the GET function used. However, the code is only working when the id is INT, how do I get it to accept strings..

include ('connect.php');
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM administrator WHERE Admin_ID=$id");
$row = mysql_fetch_array($result);

Re: Can't pass a string in the GET function

Posted: Tue Dec 23, 2008 2:06 am
by Mark Baker
String values need to be quoted in SQL

Code: Select all

 
$result = mysql_query("SELECT * FROM administrator WHERE Admin_ID='$id'");
 
You're passing a string via GET, which might contain spaces, quotation marks or other unusual characters, so you might need to use urldecode before embedding it in your SQL.

And don't forget to escape it to prevent SQL Injection

Re: Can't pass a string in the GET function

Posted: Tue Dec 23, 2008 10:36 pm
by Syntac
Mark Baker wrote:You're passing a string via GET, which might contain spaces, quotation marks or other unusual characters, so you might need to use urldecode before embedding it in your SQL.
$_GET variables are automatically URL-decoded. Any half-decent user agent automatically URL-encodes everything, so I don't think this is necessary.

And yes, you should always escape your SQL.