ren Posted April 11, 2008 Share Posted April 11, 2008 Excuse the noob question. I'm looking to reference another file's variable. $query = "SELECT id, qty, mthd, duedate, link FROM solt ORDER BY duedate LIMIT $offset, $rowsPerPage"; $result = mysql_query($query) or die ('Error, query failed'); while($dbRow = mysql_fetch_array($result, MYSQL_ASSOC)) { print("<tr>\n"); print("<td><a href=\"update.php?ref=" ."{$dbRow['id']}" ."\">{$dbRow['id']}</a></td>\n"); So this should create a link to update.php?ref=GG where GG is an ID from my mysql query. Then I want to create update.php file which also has a mysql query $query = "SELECT id, good, qty, mthd, duedate, wincost, link notes FROM solt WHERE id = GG"; mysql_query($query) or die ('Error in query'); My question then is how do I reference GG in update.php when it's from a separate file? Thanks in advance. I searched the forums for similar questions and couldn't find an appropriate answer. -ren Quote Link to comment Share on other sites More sharing options...
discomatt Posted April 11, 2008 Share Posted April 11, 2008 $_GET['ref']; Quote Link to comment Share on other sites More sharing options...
ren Posted April 14, 2008 Author Share Posted April 14, 2008 $_GET['ref']; Thank you for the very quick response. However, I'm not sure what to do with that. I placed it in the update.php file in place of GG and I get this error: Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /var/www/site/history/update.php on line 27 Here is my exact line of code: $query = "SELECT * FROM solt WHERE id = $_GET['ref']"; mysql_query($query) or die ('Error in query'); Thanks, -ren Quote Link to comment Share on other sites More sharing options...
discomatt Posted April 14, 2008 Share Posted April 14, 2008 You can't use associative arrays directly in your double quoted strings Try this. $query = "SELECT * FROM solt WHERE id = {$_GET['ref']}"; mysql_query($query) or die ('Error in query'); Also, try accessing your page like this... update.php?ref='1 OR 1=1' This is a classic SQL injection attempt.... it's a very basic idea, but as you can see the end user can enter any SQL queries they want... For this example, all you have to do is make sure the value entered into $_GET['ref'] is a number... easy enough, if (is_numeric($_GET['ref']) { $query = "SELECT * FROM solt WHERE id = {$_GET['ref']}"; mysql_query($query) or die ('Error in query'); } else { // an injection attempt may have been made } As you can see, it's very important to sanitize user data before using it in a query, or even outputting it to the browser. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted April 14, 2008 Share Posted April 14, 2008 discomatt: the is_int function will return false on all information from the GET and POST arrays. The function checks the variable's type, which will always be a string from these sources. You can use the ctype_digit() function, however. Though for things like the id of a row in a databases, i prefer to use type casting: $id = (int) $_GET['id']; Edit: Sorry, ignore. This applies with the is_int function, not is_numeric. Quote Link to comment Share on other sites More sharing options...
discomatt Posted April 14, 2008 Share Posted April 14, 2008 Ignored Also, forcing a given type still is not the best way to do it in my opinion.. It still returns '0' in the case of a string. It still results in a query being executed, and could return bad data Quote Link to comment Share on other sites More sharing options...
ren Posted April 15, 2008 Author Share Posted April 15, 2008 You can't use associative arrays directly in your double quoted strings Try this. $query = "SELECT * FROM solt WHERE id = {$_GET['ref']}"; mysql_query($query) or die ('Error in query'); Also, try accessing your page like this... update.php?ref='1 OR 1=1' This is a classic SQL injection attempt.... it's a very basic idea, but as you can see the end user can enter any SQL queries they want... For this example, all you have to do is make sure the value entered into $_GET['ref'] is a number... easy enough, if (is_numeric($_GET['ref']) { $query = "SELECT * FROM solt WHERE id = {$_GET['ref']}"; mysql_query($query) or die ('Error in query'); } else { // an injection attempt may have been made } As you can see, it's very important to sanitize user data before using it in a query, or even outputting it to the browser. discomatt - cheers! this worked brilliantly. The only problem - for those who find this later - is that your code above is missing a " ) " before the first " { ". Seems like it should be: if (is_numeric($_GET['ref'])) { $query = "SELECT * FROM solt WHERE id = {$_GET['ref']}"; mysql_query($query) or die ('Error in query'); } else { // an injection attempt may have been made } Thanks again -ren Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.