onthespot Posted July 17, 2009 Share Posted July 17, 2009 The following code I have wrote displays a blank page?! Its designed to stop anyone typing in the URL, anything other than INT, which that part works. However I have tried to add something that like stop them typing in INTs that arent valid, so below 1 or above the max news id that is in the table. $news=mysql_real_escape_string($_GET['news']); $sql2 = "SELECT COUNT(*) FROM ".TBL_NEWS.""; $result2 = mysql_query($sql2) or trigger_error("SQL", E_USER_ERROR); $r2 = mysql_fetch_row($result2); $numrows2 = $r2[0]; $sql3 = "SELECT COUNT(newsid) FROM ".TBL_NEWS.""; $result3 = mysql_query($sql3) or trigger_error("SQL", E_USER_ERROR); $r3 = mysql_fetch_row($result3); $numrows3 = $r3[0]; $total = ceil($numrows / $numrows3); $page = (int) $_GET['news']; if ($page > $total) { $page = $total; } if ($page < 1) { $page = 1; } else if(!is_numeric($news)){ echo 'This piece of news does not exist. Back to <a href="news.php">News</a>'; exit(); } else{ $res=mysql_query("SELECT * FROM ".TBL_NEWS." WHERE newsid=$news"); while($row=mysql_fetch_assoc($res)){ $posted=$row['posted']; $date=$row['date']; $comment=$row['comment']; $subject=$row['subject']; Can anyone help with giving me some direction as how to get this working? thanks Link to comment https://forums.phpfreaks.com/topic/166310-solved-problem-with-get/ Share on other sites More sharing options...
rhodesa Posted July 17, 2009 Share Posted July 17, 2009 You are over thinking this. Instead, just try to select the piece of news out of the table. If it's there, show it, if it's now, show the error: <?php $news = (int)$_GET['news']; //Force it to an integer $res = mysql_query("SELECT * FROM ".TBL_NEWS." WHERE newsid='$news'"); if(mysql_num_rows($res)){ //We found something $row = mysql_fetch_assoc($res); $posted=$row['posted']; $date=$row['date']; $comment=$row['comment']; $subject=$row['subject']; echo $subject; }else{ echo 'This piece of news does not exist. Back to <a href="news.php">News</a>'; exit; } ?> Link to comment https://forums.phpfreaks.com/topic/166310-solved-problem-with-get/#findComment-877000 Share on other sites More sharing options...
onthespot Posted July 17, 2009 Author Share Posted July 17, 2009 Thanks, will this stop users being able to type whatever they want into the URL. Is it secure? Link to comment https://forums.phpfreaks.com/topic/166310-solved-problem-with-get/#findComment-877008 Share on other sites More sharing options...
rhodesa Posted July 17, 2009 Share Posted July 17, 2009 Yeah, by forcing the value to an integer, they can't do anything to your database. If they type something else into the URL, it will search the database for it, find nothing, and return the error Link to comment https://forums.phpfreaks.com/topic/166310-solved-problem-with-get/#findComment-877012 Share on other sites More sharing options...
onthespot Posted July 17, 2009 Author Share Posted July 17, 2009 Thats awesome mate, thanks a lot, really helpful Link to comment https://forums.phpfreaks.com/topic/166310-solved-problem-with-get/#findComment-877016 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.