Clever Geek Handbook

Php url parameters

I am working on my site and I am trying to get the url parameter "page" which is an integer that tells which entry to read in the MySQL database which supports HTML for all pages. Here is my code with MySQL username and password removed for security reasons:

  if ($_GET["page"]) {
  $con = mysql_connect("localhost","username","password");
  if (!$con)
  {
    die('Could not connect: ' . mysql_error());
  }
  mysql_select_db("jmurano_pages", $con);
  $title=mysql_query("SELECT title FROM pageContent WHERE pageID=" . $_GET['page']);
  echo "<title>" . $title . "</title>\n";
  echo "</head>\n";
  echo "<body>\n";
  $content = mysql_query("SELECT content FROM pageContent WHERE pageID=" . $_GET['page']);
  echo $content;
  echo "\n</body>\n</html>";
}

This puts the title as "Resource ID # 2" and the content as "Resource ID # 3". I can't think of what I might have done wrong.

I am still confused. I am a complete newbie to PHP. What exactly do I need to do to access the content and title?

0


source to share


7 replies


Apart from the injection vulnerability (see John's answer), you should get the header from mysql_query using

 $res = mysql_query("SELECT title FROM pageContent WHERE pageID=" . $escapedpage);
 $title = mysql_fetch_assoc($res);
 $title = $title['title']
 $res2 = mysql_query("SELECT content FROM pageContent WHERE pageID=" . $escapedpage);
 $content = mysql_fetch_assoc($res2);
 $content = $content['content'];

However, I think it would be wise if you followed the mysql php online tutorial.



EDIT
even better would be to just use 1 mysql_query like:

$res = mysql_query("SELECT title, content FROM pageContent WHERE pageID=" . $escapedpage);
$row = mysql_fetch_assoc($res);
$title = $row['title'];
$content = $row['content'];

This will save you time and script resources as there is only one mysql query needed.
This tutorial is pretty good: http://www.freewebmasterhelp.com/tutorials/phpmysql

+3


source


You obviously have a lot to learn (we all had to start somewhere!), So the only answer on SO won't be able to teach you everything, but here's a starter:

When you run mysql_query

SELECT on a query, it will return one of two things:



  • If there was an error in your request, it will return false .
    • Details about this error can be obtained by calling mysql_error()

  • if the request was correct it will return the resource
    • Using this resource, you can call other mysql functions to find out information about the dataset you just created using SELECT.
    • mysql_fetch_assoc()

      will return an associative array of ONE string from your query.
      • Do this to see: $row = mysql_fetch_assoc($resource); print_r($row);

    • Call it again to get the next line.
    • When there are no more rows, it mysql_fetch_assoc()

      will return false.
      • So you can write loops like this:
        while ($row = mysql_fetch_assoc($resource)) { // do stuff }

+2


source


Here is some psuedo code.

$result = mysql_query($sql);

//for each row in the result, do stuff with it...
while ($row = mysql_fetch_array($result)){
  $title = $row["title"];
  $content = $row["content"];

  //this will show you the row data visually
  //var_dump($row);
}

As PHP newb, learn how to debug (use var_dump if necessary), read the documentation and read tutorials.

Also, there are tons of php + mysql tutorials on the internet ... google "php and mysql"

Good luck!

+1


source


You should get both fields in one request as it will probably be faster. Also assuming the pageID is always an integer, you should cast that to an integer first to prevent SQL injection. I would use something like:

<?php
if (isset($_GET["page"])) {
    $con = mysql_connect("localhost","username","password");
    if (!$con) {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db("jmurano_pages", $con);

    $pageId = (int) $_GET['page'];

    $result = mysql_query('SELECT title, content FROM pageContent WHERE pageID= ' . $pageId);

    if (!$result) {
        die(mysql_error());
    }

    $row = mysql_fetch_assoc($result);

    if (!$row) {
        die('page not found');
    }

    echo "<title>" . $row['title'] . "</title>\n";
    echo "</head>\n";
    echo "<body>\n";
    echo $row['content'];
    echo "\n</body>\n</html>";

} else{ 
    //what are you going to do if page is not passed?
}
?>

note that

  • You can put your database connection code in a separate location, so you don't need to copy it across multiple pages.
  • You should probably read about SQL injection and some techniques to keep HTML and PHP (presentation and logic) separate, otherwise you might end up with very messy code.
+1


source


You should read the manual http://de.php.net/mysql_query

Return values

For the SELECT

, SHOW

, DESCRIBE

, EXPLAIN

and other statements that return a result set,      mysql_query()

it returns a resource with success, or FALSE on error.

For other types of SQL statements,      INSERT

, UPDATE

, DELETE

, DROP

etc, mysql_query()

    returns TRUE on success or FALSE on error.

The returned result resource must be passed to mysql_fetch_array()

, and other functions to process the result tables to access the returned data.

0


source


Also, you have a SQL Injection vulnerability ... never put $ _GET, $ _POST or other custom variables directly into queries.

You should:

$page = $_GET["page"];
$escaped_page = mysql_real_escape_string($page);

and put $ escaped_page in your request.

0


source


One more thing .. you can select title and content in one request:

SELECT title, content FROM ....

0


source






More articles:


All Articles