Using Querystring in Select statement

I am having a problem passing a querystring to a select statement to return a specific table row from a database.

I have a list of links that are built from a database query, like this:


When a user clicks a link and the page "www.mysite.com\myprocesspage.php?case_id=1" loads,
I would like to be able to then query a database to retrieve the data for case_id=1.

Example: SELECT * FROM mytable where case_id=???

I can do this easily in ASP/VB but I am new to PHP and don't know how to do this.

Any help would be appreciated.

Thanks.

HI

This is the sample file which shall list all the records with
the Hyperlink

mysql_connect($host,$UserName,$Password) ;
mysql_select_db("mydatabase");
$query="select * from casetable";
while($result=mysql_query($query)) // get all the rows
{
echo "<a href='myprocesspage.php?case_id=" .
$row["case_id"] . "'>" . $row["case_name"] . "</a>"
}

This is the code for myprocesspage.php


mysql_connect($host,$UserName,$Password) ;
mysql_select_db("mydatabase");
$query="select * from casetable where userid=$case_id";
$result=mysql_query($query);
$row =mysql_fetch_array($result);
echo $row['case_name'];


Hope this help
Cheers

Jayesh Jain

Thanks a lot.
I didn't realize that PHP automatically created variables this way, I thought it was only from forms.

Glad to have this resource!

Later.

actually it should be

$query="select * from casetable where userid={$_POST['case_id']}";

otherwise you may run into errors

Thanks Ben. I'll give it a go.

Sorry Ben

but you dont have to use

{$_POST['case_id']}";

( i mean it is ok but you can still do without it)


as PHP created variable for all the form varibles or the variables
passed in the url eg test.php?case_id=10

Cheers
Jayesh

actually i read the post a bit fast it should be

{$_GET['case_id']}";

anyway php actually stoped the generation of POST and GET varaibles like $case_id at version 4.0 i think. It can be a security risk calling without defining what type of variable it is.

Hi Ben,

I wrote a small PHP file ( phpiis) with this code

<?
echo $myname;
?>

and clicked this on my web browser
http://localhost/phpiis.php?myname=jayesh

which displayed the name ( it worked !!!!)

also tried

<HTML>
<BODY>

<FORM ACTION=phpiis.php>
<INPUT type=text name=myname>
<INPUT type=submit>
</FORM>

</BODY>
</HTML>

which also worked

I am using php version 4.2.3

I am not arguing but this was just for your information

Cheers

Jayesh Jain

oh ok. oh well


but the bad thing about that is you could do something like this

membersloginsection.php?user=1

then you could change that to 2 and would be able to access someones data. even if you submit it via a form. its easier to hack when you dont use. thats why, so if you post data, you cant send it via get, etc

Also, make sure you're running some sort of check to validate your get variables. Since a user can just type in anything he wants, you need to be certain he's not typing in something that could screw your page up.

The first step in doing this is clear coding, and that implies using the superglobal arrays to track your request variables ($_GET and $_POST).

First , you will need to check that the value is numeric (in this case). The isnumeric() function will work for that. Second, you need to be able to handle it if the id doesn't exist, so make sure you check the results from your query. If you're using mysql, you can simply use the mysql_num_rows() function for this. For other db functions check php.net and pear.php.net (for the pear db functions).

Finally, you need to make sure there are no OTHER variables that the users can tamper with via get. This is something you have to do on every page. Essentially, any variables that control access to pages or to features that alter the database content in anyway, need to be preset to 0 or NULL in your scripts so that malicious users can't force logins, force database alterations, etc.

Jayesh,

The reason it worked is because you have "register_globals" set to "on"... I'm surprised it was working, as I understood "register_globals" were automatically set to "off" after version 4.1. Perhaps you changed the setting?

Frankie,
I am using PHP v. 4.1.1 and it works for me. I left the settings on default for installation too.

Funny thing is that both books I have on PHP 4 say nothing of the _$GET and _$POST methods for url appending. The books are "Beginning PHP 4" and "Professional PHP Programming".

I searched and searched for $GET and $POST and the only thing mentioned was the GET and POST form submission methods.

I'm sure you are right, along with Ben and others, but it makes you wonder which way to go.

Quantum,

Make sure you're searching for "$_POST" or "$_GET" and not "_$GET or _$POST".

The superglobals were developed for security purposes, and are recommended for any type of php development. Although many people continue to user their variables in a global context, it's stressed that you use the superglobal arrays.

Read here for some more information.

Thanks Frankie, I'll take your advice and use the superglobals.