1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to Use $_GET in mysql_query() funcion?

Discussion in 'PHP & Perl' started by back2black, Jul 14, 2009.

Tags:
  1. back2black

    back2black Junior Member

    Joined:
    Dec 20, 2008
    Messages:
    115
    Likes Received:
    28
    Hi All,

    Ive got a page called user.php and when I link to there I get there by sending a URL variable called id.... so basically like this...

    user.php?id=6
    user.php?id=3 etc etc...

    Then in my main code I have a line like this:

    Code:
      <?php
    
    $result = mysql_query("SELECT * FROM sp_table WHERE id=$_GET['id']");
    
    while($row = mysql_fetch_array($result))
      {
      echo $row['name'];
      echo "<br />";
      }
    
    ?>
    For some reason this doesnt work though (i.e. it doesnt display the 'name' field for the given 'id' field).

    I know that the problem part of the code is the $result line because when I replace a plain number instead of the $_GET function it displays the 'name' field ok... i.e. this...:

    Code:
    $result = mysql_query("SELECT * FROM sp_table WHERE id='1'");
    ...would display the correct 'name' field.

    Any ideas what is wrong with my $GET['id'] field?

    Thanks for all your help!
     
  2. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Well from what you have written,
    Code:
    $result = mysql_query("SELECT * FROM sp_table WHERE id=$_GET['id']");
    is not the same as:
    Code:
    $result = mysql_query("SELECT * FROM sp_table WHERE id='1'");
    If for example, $_GET['id'] = 1, then it would look like this at runtime:
    Code:
    $result = mysql_query("SELECT * FROM sp_table WHERE id=1");
    Do you see the difference? There are no single quotes around the "1". Now I know that mysql itself does not require single-quotes, so that may not be the problem.

    Have you tried to just echo $_GET['id']? If that fails then problem occurs as the variable is passed to php. If you do get an output, maybe try assigning $_GET['id'] to some variable and use that in your query instead. Try to narrow it down a bit. Hope it helps.
     
  3. khan0

    khan0 Registered Member

    Joined:
    Jul 16, 2008
    Messages:
    75
    Likes Received:
    17
    Location:
    Toronto
    Instead of

    PHP:
    $result mysql_query("SELECT * FROM sp_table WHERE id=$_GET['id']");
    Try:

    PHP:
    $id $_GET['id'];
    $result mysql_query("SELECT * FROM sp_table WHERE id=" $id);
    or, with single quotes:

    PHP:
    $id $_GET['id'];
    $result mysql_query("SELECT * FROM sp_table WHERE id='" $id"'");
     
  4. XoC--

    XoC-- Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 5, 2009
    Messages:
    211
    Likes Received:
    113
    Also you should consider doing the following so nobody can do any SQL injections

    Code:
    $id = mysql_real_escape_string($_GET['id']);
    $id = preg_match("/^[0-9]+$/", $id) ? $id = $id : $id = 1;
    
    This means if id isn't a number it will default to 1

    (sorry if this is off-topic)
     
  5. risefromdeath

    risefromdeath Power Member

    Joined:
    Jul 1, 2009
    Messages:
    650
    Likes Received:
    107
    if it comes to sql injection you can use the is_number() function as well
     
  6. back2black

    back2black Junior Member

    Joined:
    Dec 20, 2008
    Messages:
    115
    Likes Received:
    28
    guys - thanks very much, problem solved...

    appreciated
     
  7. Ueland

    Ueland Registered Member

    Joined:
    May 4, 2009
    Messages:
    97
    Likes Received:
    40
    and to be very clear:

    Do NEVER/EVER(!!) just send variables into SQL-databases without making shure that the data is valid, and secure to put it in. Or else your site WILL be taken down some day.
     
  8. mortenb

    mortenb Newbie

    Joined:
    May 21, 2009
    Messages:
    9
    Likes Received:
    0
    If you want it to be a number then this would work too:
    $id = (int) $_GET['id'];
     
  9. fukinlee

    fukinlee Newbie

    Joined:
    Aug 11, 2009
    Messages:
    22
    Likes Received:
    3
    It depends what your mysql datatype is. Numeric types don't require quotes, but string types do. Always use mysql_real_escape_string() before making the sql query to avoid injections. Also, look up the ctype functions they are really helpful.

    http://us2.php.net/manual/en/book.ctype.php
     
  10. Killswitch

    Killswitch BANNED BANNED

    Joined:
    Aug 9, 2009
    Messages:
    14
    Likes Received:
    5
    Also along with what these guys said, you can append or die(mysql_error()) to your query so if it errors out you can see what MySQL says. Example:

    PHP:
    $query mysql_query('SELECT * FROM table') or die(mysql_error());
     
  11. orangejuice

    orangejuice Registered Member

    Joined:
    Jul 25, 2009
    Messages:
    54
    Likes Received:
    16
    Never do this on a production system. The end-user should never be able to see MySQL errors, one vulnerable query and you're finished.