Get a MySQL field from a PHP variable

Hi guys!

I'm a bit new to PHP and MySQL. I've built a very basic dynamic site but what I want to do is get an entry from the database depending on an ID passed through the URL

For example, when a user goes to "www.mysite.com/hello.php?artid=1" I want to call an entry from the database with the ID of 1

So far I just do it like so:

$sql = "SELECT content FROM dynamic_content WHERE id = 1";

This gives me a variable I want for later but I want to remove the last "id = 1" bit with something like "id = artid" but I'm not sure exactly what I'm supposed to write.

I've found some similar articles on the web but haven't managed to find my answer (maybe my terminology is stopping the search engines finding it?)

$sql="SELECT content FROM dynamic_content WHERE id=" . intval($_GET["artid"]);

That's excellent, thanks!

Tried to use this in some other areas and it wouldn't work, realised afterwards that the intval($_GET["artid"]) bit can be simplified as $_GET["artid"]

Thanks anyway. It worked for what I originally asked for!

That's not a simplification, it's a stripping away of validation. The intval() function converts whatever value it gets to an integer. This helps safeguard against SQL injection attacks (someone passing "1 OR artid=artid" as the artid parameter to get more results than they should have access to (or something more heinous such as "1; DELETE FROM users;//").

This worked perfectly for me on an edit page. However, I have a separate display page that checks to see if there is a variable passed in the url and if there is to display the information for that record and if not, to display all the items in the table. The page is not throwing an error, but it is also not executing the if statement.

I have

if ($ID) {

// display individual record

$sql = "SELECT * FROM property WHERE ID=" . intval($_GET["ID"]);

...


} else {

// display entire list with link to individual record

$sql = "SELECT * FROM property WHERE Active='1' ORDER BY State, City, StreetName, StreetNumber";

....



}

When I click on a link to display the contents for an individual record (i.e., properties.php?ID=1), the first part of the if statement does not execute. Can anyone spot my error?

You'll need to fix all references to $ID so that they're $_GET["ID"]. Check out the condition in your if statement. Fix that and I suspect it'll work.

Thanks. Just out of curiousity Is this a function of my php settings or the version of php?

I am now converting over my code to include $_get and $_post as appropriate. Now I having an issue with my update statement.

It read $query = "UPDATE news SET title = 'title', content = 'content', contact =
'contact', timestamp = NOW() WHERE id ="$id";

I have converted it to

$query = "UPDATE news SET title = '$_POST["title"]', content = '$_POST["content"]', contact =
'$_POST["contact"]', timestamp = NOW() WHERE id =" . intval($_POST["id"]);

Is this correct, because my page is coming up blank?

Also is there a way like in asp where you can request a variable and then define it so that you don't have to keep using $_post throughout the page?

for example in asp, you would say

sTitle = request.form("title")

and then when you are doing you validation and your SQL statements you just refer to the variable as sTitle.

Is the php equivalent

$Title = $_Post("Title")

Will that work?

This is a function possibly of both PHP settings and version. Recent versions of PHP have register_globals turned off. This prevents your just using the variable name that matches submitted field names. So in that regard, it's partially a version issue. But it's also a settings issue, because you can turn register_globals back on in your php.ini and avoid the problem (not a good idea, though; it's turned off for a reason). There's a sticky on register_globals in the PHP forum.

Your query may be screwed in this case because you're trying to print array values within quotes (and within quotes within quotes, no less). Print your query. If it comes across printing the array/variable names rather than their values, try using the dot operator to concatenate the parts of your query, like this:



I believe you can also use notation something like $_POST{title} inside quotation marks without any problems.

Regarding using the names rather than the array references, you can use $title=$_POST["title"] if you like. I think you can also use the extract() function to create variables whose names and values correspond to the names and values in your array. In my opinion, this is a bad idea. I prefer to keep my variables scoped within their arrays because this lets me know at all times what scope I'm in and keeps me from overwriting values or creating bugs by inadvertently overwriting values in variables with common names.