$_GET issue

Brian W · September 23, 2008

Hi, I have a record-set that uses a URL variable to filter. The variable is $_GET['Project'].

Here is my quarry infor

$colname_Files = "-1";
if (isset($_GET['Project'])) {
  $colname_Files = $_GET['Project'];
}
mysql_select_db($database_Test, $Test);
$query_Files = sprintf("SELECT * FROM Files WHERE Project = ".$colname_Files;
$Files = mysql_query($query_Files, $Test) or die(mysql_error());
$row_Files = mysql_fetch_assoc($Files);
$totalRows_Files = mysql_num_rows($Files);

1

When my url is "file.php?Project=1" it works fine but as soon as I use the <a name=... and go to lets say "file.php?Project=1#6" my recordset seems to only get the first record when there should be like 10 records with Project == "1" ???

Any suggestions greatly appreciated.

kenrbnsn · September 23, 2008

You have to loop through the returned dataset:

<?php
$colname_Files = "-1";
if (isset($_GET['Project'])) {
  $colname_Files = $_GET['Project'];
}
mysql_select_db($database_Test, $Test);
$query_Files = sprintf("SELECT * FROM Files WHERE Project = ".$colname_Files;
$Files = mysql_query($query_Files, $Test) or die(mysql_error());
$totalRows_Files = mysql_num_rows($Files);
while ($row_Files = mysql_fetch_assoc($Files)) {
   echo $row_Files['column_name'] . '<br>';
}
?>

Ken

nadeemshafi9 · September 23, 2008

first off use error_reporting(2047) to get more errors, then stop using a get variable in your sql somone could easily inject your databse with a DELETE like -- blah cos -- is a comment and comments ur code and lets them do theres.

u probs have an error thats why # messes it up the # means you clicked somthing like a anchor is tehre any processing in that ?

$query_Files = sprintf("SELECT * FROM Files WHERE Project = ".$colname_Files; missing )

Brian W · September 23, 2008

My repeat region does the looping.

<?php if ($totalRows_Files > 0) { // Show if recordset not empty ?>
  <table width="100%" border="0" align="center" cellpadding="0" cellspacing="0" class="tasks">
    <tr>
      <td colspan="3" class="key style8"><div align="left">Files</div></td>
      <td width="8%" class="key"><div align="left">Upload Date</div></td>
    </tr>
    <?php do { ?>
      <tr>
        <td width="3%"><div align="center" class="style7">
          <div align="center"><a href="DeleteFile.php?Project=<?php echo $_GET['Project']; ?>&File=<?php echo $row_Files['File']; ?>"><img src="x.bmp" alt="" width="14" height="14" /></a></div>
        </div></td>
        <td width="5%"><div align="center" class="style11"> FILE </div></td>
        <td width="84%"><div align="left"><a href=".../EPM/uploads/<?php echo $row_Files['File'] ?>"><?php echo $row_Files['File']; ?></a><a href=".../EPM/uploads/<?php echo $row_Files['File'] ?>">  </a></div></td>
        <td><div align="left"><?php echo $row_Files['Date']; ?>  </div></td>
      </tr>
      <tr>
        <td colspan="4" height="5" class="spacer"></td>
      </tr>
      <?php } while ($row_Files = mysql_fetch_assoc($Files));//HERE IS THE LOOP ?>
    <tr>
      <td colspan="4"><div align="right"><a href="upload.php?Project=<?php echo $_GET['Project']; ?>">ADD FILE</a></div></td>
      </tr>
  </table>

<?php } // Show if not empty?>

Like I said, it works till I have the "#" tacked on...

I don't mean to shoot your idea down, I just don't understand how it works w/o the "#" if it is a looping problem.

Thank you.

kenrbnsn · September 23, 2008

The "#" in a URL is not passed to PHP. It is used by the browser as an anchor designation. Pick a different delimiter to use to specify looping.

Ken

Brian W · September 23, 2008

first off use error_reporting(2047) to get more errors, then stop using a get variable in your sql somone could easily inject your databse with a DELETE like -- blah cos -- is a comment and comments ur code and lets them do theres.

u probs have an error thats why # messes it up the # means you clicked somthing like a anchor is tehre any processing in that ?

$query_Files = sprintf("SELECT * FROM Files WHERE Project = ".$colname_Files; missing )

Good call on the inject... can I just run some stripping on the $_GET['Project'] to rid it of possible threatening characters? I really don't know any other way to filter my database based on a link they click. I guess I might be able to use javascript onclick handlers to post a form with variables... I'd rather not though because some people disable javascripts.

Thank you.

discomatt · September 23, 2008

The "#" in a URL is not passed to PHP. It is used by the browser as an anchor designation. Pick a different delimiter to use to specify looping.

Ken

This is not entirely true, as parse_url() can return the fragment/anchor... but you are correct. The # symbol is messing it up. You can puck a different delimiter or use the url encoded version ( %23 )

Brian W · September 23, 2008

The "#" in a URL is not passed to PHP. It is used by the browser as an anchor designation. Pick a different delimiter to use to specify looping.

Ken

This is not entirely true, as parse_url() can return the fragment/anchor... but you are correct. The # symbol is messing it up. You can puck a different delimiter or use the url encoded version ( %23 )

I'm sorry, I didn't understand either of you. I'll look up parse_url right now and I guess i'll try figuring out what ( %23 ) is too. I fought inject with

$colname_Files = "-1";
if (isset($_GET['Project'])) {
  $colname_Files = ereg_replace("[^0-9]", "", $_GET['Project']); //only numbers are output
}

echo $colname_Files returns a plain number.

Here is that latest thing I figured found. I now discovered its not happening with the "#", it happens when another variable is added to the mix. "file.php?Project=1&ID=4#4"

The "ID=4#4 is what you go to when you select a particular file. the ID=4 does not mess with the recordset (seemingly)

discomatt · September 23, 2008

Try

"file.php?Project=1&ID=4%234"

nadeemshafi9 · September 24, 2008

first off use error_reporting(2047) to get more errors, then stop using a get variable in your sql somone could easily inject your databse with a DELETE like -- blah cos -- is a comment and comments ur code and lets them do theres.

u probs have an error thats why # messes it up the # means you clicked somthing like a anchor is tehre any processing in that ?

$query_Files = sprintf("SELECT * FROM Files WHERE Project = ".$colname_Files; missing )

Good call on the inject... can I just run some stripping on the $_GET['Project'] to rid it of possible threatening characters? I really don't know any other way to filter my database based on a link they click. I guess I might be able to use javascript onclick handlers to post a form with variables... I'd rather not though because some people disable javascripts.

Thank you.

you should get each record one by one and all of its relations then find matches in any of them if so put the data from these records into a string at the same time add formatting to it, then give this string a number of times the word occurs in it, then put this string in an array do this for all records then arange the array by numerical values that you gave it now you have an advanced search and you didnt put any fiulter in the SQL.

Sign In

$_GET issue

Recommended Posts

Brian W

Link to comment

Share on other sites

kenrbnsn

Link to comment

Share on other sites

nadeemshafi9

Link to comment

Share on other sites

Brian W

Link to comment

Share on other sites

kenrbnsn

Link to comment

Share on other sites

Brian W

Link to comment

Share on other sites

discomatt

Link to comment

Share on other sites

Brian W

Link to comment

Share on other sites

discomatt

Link to comment

Share on other sites

nadeemshafi9

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information