Newbie - PHP POST method retreival

[torontob]

Hi Guys,

 

I am new to php but have done programs in C, Basic, etc...

 

I have a mysql database with a field named Balance which keeps the balance for customer accounts.

 

I want to be able to provide the customers with option to check balance by simply inputing this into their browser:

 

http://my.website.com/balance.php?acountnumber=12121212

 

and I want balance.php to now go to MySQL and retreive the balance number corresponding to account number 12121212 and display on the screen.

 

Can you please guide me on how to do this? Some snippets of the code would greate help.

 

Also is my URL format using "?" and "=" sign right?

 

Thanks again

 

[gabaroar]

Hello

 

What you looking for is a get variable.  You can find information with examples here (http://www.w3schools.com/PHP/php_get.asp)

 

I like to use MDB2 for mysql work(http://pear.php.net/package/MDB2/)

[torontob]

Perfect! Amazing. Thank you very much.

 

Here is my sample code:

 

 

PHP:

<?php

$con = mysql_connect("localhost","username","password");

if (!$con)

  {

  die('Could not connect: ' . mysql_error());

  }

 

mysql_select_db("mya2billing", $con);

 

$result = mysql_query("SELECT * FROM cc_card

WHERE username='12345671234'");

 

while($row = mysql_fetch_array($result))

  {

  echo $row['credit'] . " " . $row['id'];

  echo "<br />";

  }

?>

 

This works fine and pulls up "credit" and "id" based on WHERE username=12345671234 but what can I replace that username value to in order to be able to do something like this:

 

http://my.site.com/balance.php?username=99999

 

so that then I can pull balance on username 99999. My method is static and hooked up to only username=12345671234 now.

 

Thanks again

[gabaroar]

I believe something like this

 

<?php
$username = $_GET['username'];

$con = mysql_connect("localhost","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("mya2billing", $con);

$result = mysql_query("SELECT * FROM cc_card
WHERE username='" . $username . "'");

while($row = mysql_fetch_array($result))
  {
  echo $row['credit'] . " " . $row['id'];
  echo "<br />";
  }
?>

[pengu]

Not very secure though, lol.

Check out security regarding credit cards and PHP/MySQL security in general.

[torontob]

Thanks Gabroar.

 

And security was indeed my next question because mysql password is plain text. Or maybe someone gets create or if there is a hole in php or browser and appends some other variables to the end of the URL and now they can read the whole database. Is that possible? Has it happened before? Or is php file totally hidden to the users eye all the time?

 

Credit in this case only refers to Balance field but you are right and there are some other sensitive information stored in the same database such as usernames/passwords in plaint text.

 

Thanksm

Bruce

[torontob]

Anything guys?

 

Thanks