doddsey_65 Posted March 25, 2010 Share Posted March 25, 2010 Hi. At the minute i have a tutorials page for my website which lists all the tutorials in the database from a certain user. Lets call this user JOHN. the url would be tutorials.john.php When someone clicks on a tutorial it takes them to the url tutorials.john.php?id=the tutorial id. So my code is like: if URL = tutorials.john.php?id=1 then show embedd code for tutorial. then i have several elseif statements for when the id = another number. Because i have over 150 tutorials i have just been copying the elseif statement and changing the id numbers since there are about 4 queries in each statement. is there anyway to do this so i dont have to copy the elseif statement over 150 times? hopefully i described this clearly enough. here is an example of the elseif statement: elseif ($url == '/tutorials.derricksesson.php?id=7'): $sql="UPDATE tutorials SET views= views + 1 WHERE id=7"; $done=mysql_query($sql); echo '<div id="page">'; echo '<div id="content"><br />'; echo '<h2 class="title">Modeling An Ear (Part 1)</h2><br />'; echo '<div class="post">'; echo '<p class="meta">Derrick Sesson | Cganim8or (<a href=tutorials.derricksesson.php>Back To Tutorials)</a>'; echo '<div class="entry">'; echo '<center>Rate This Tutorial:<br>'; echo '<form name=rate action="' . $_SERVER['PHP_SELF'] . '?id=7" method="POST">'; echo '<input type=radio name=rate value=1>1'; echo '<input type=radio name=rate value=2>2'; echo '<input type=radio name=rate value=3 checked>3'; echo '<input type=radio name=rate value=4>4'; echo '<input type=radio name=rate value=5>5'; echo '<input type=submit name=rate_btn value=Rate id=rate><br>'; echo '</form>'; $update = $_POST['rate']; if (isset($_POST['rate'])) { $rated = mysql_query("UPDATE tutorials SET RatedBy = RatedBy + 1, Rating = Rating + '$update' WHERE id = 7") or die (mysql_error()); $res = mysql_query($rated); }else{ echo ' '; } $result = mysql_query("SELECT * FROM tutorials WHERE id=7 AND username='cganim8or'") or die(mysql_error()); while($row = mysql_fetch_object($result)) { $ratedby = $row->RatedBy; $rating = $row->Rating; if ($ratedby == 0){ $avg = 0; } elseif ($ratedby == 1){ $avg = $rating; } else { $avg = $row->Rating/$row->RatedBy; } $avg = round($avg, 2); echo 'Average Rating: ' . $avg . ' - Rated by ' . $ratedby . ' users.<br><br>'; } echo ' <object width="480" height="385"><param name="movie" value="http://www.youtube.com/v/JpVbfOfBdfo&hl=en_GB&fs=1&"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/JpVbfOfBdfo&hl=en_GB&fs=1&" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object> <br><br><div class=content><div class=post><p class=meta>Leave A Comment<div class=entry>'; require('inc_rate.php'); getComments("5"); submitComments("5","$_SERVER[php_SELF]"); echo '</div></div></div></p></div></div>'; Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 25, 2010 Share Posted March 25, 2010 The ?id=value on the end of the URL will be available in the php code as $_GET['id'] Quote Link to comment Share on other sites More sharing options...
doddsey_65 Posted March 25, 2010 Author Share Posted March 25, 2010 The ?id=value on the end of the URL will be available in the php code as $_GET['id'] so in the queries instead of having WHERE id=7 i would just use WHERE id= $_GET['id']? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 25, 2010 Share Posted March 25, 2010 Basically, yes. You will want to either cast the value as an integer or validate that it only contains an integer in order to prevent sql injection (i.e. all external data cannot be trusted.) You will also want to check if it is set or not (what does your current code do when the page is requested without an ?id=value on the end of the URL) so that you don't execute any of the code without having an id value. Quote Link to comment Share on other sites More sharing options...
doddsey_65 Posted March 25, 2010 Author Share Posted March 25, 2010 Basically, yes. You will want to either cast the value as an integer or validate that it only contains an integer in order to prevent sql injection (i.e. all external data cannot be trusted.) You will also want to check if it is set or not (what does your current code do when the page is requested without an ?id=value on the end of the URL) so that you don't execute any of the code without having an id value. at the end of the code is an else statement which just displays the list of tutorials in the event that there is no id specified. sorry but i dont really understand what you mean? Quote Link to comment Share on other sites More sharing options...
ignace Posted March 25, 2010 Share Posted March 25, 2010 he means that you should validate your code prior to using them for example: ?value=1 (-> $_GET['value'] == 1) WHERE value = $_GET['value'] (-> WHERE value = '1') ?value=';DROP TABLE yourtable;-- (-> $_GET['value'] == ';DROP TABLE yourtable;--) WHERE value = '$_GET['value']' (-> WHERE value = ''; DROP TABLE yourtable;--') After that user you have a table missing Atleast if the MySQL PHP extension would allow it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.