Links of Titles when clicked show Title & Description of item being clicked.

[OldWest]

I feel like a moron asking this question as it seems to be one of the most common things done with php but I cannot find a tutorial (probably because I don't know the correct wording to search under) on this specific thing..

 

Anyhow.

 

I'm spitting out a list of the Titles of my test table like so (and its working as expected):

 

<?php
$posting_sql = "SELECT * FROM postings";
$posting_results = (mysqli_query($cxn, $posting_sql)) or die("Was not able to grab the Postings!");
while($posting_row = mysqli_fetch_array($posting_results)) {		
	echo "<li><a href='posting_details.php'>$posting_row[title]</a></li>";
}
?>

 

Now as you can see: <a href='posting_details.php'> I am calling a new page, and that page contains this:

 

<h2><?php echo "$posting_row[title]"; ?></h2>

<p><?php echo "$posting_row[description]"; ?></p>

 

It's no surprise it's not working (with many variations etc), but I am only familiar with using <form> GET or POST, and these of course are not form elements, so I cant seem to call them the same way.

 

My suspicion (and from the research data I could find) is that I need to pass values in my link: <a href='posting_details.php'> ...

 

I could not get it to work, but I was trying variations like: <a href='posting_details.php?get[title&get[description]]'> but it seems like I am screwing things up even more by doing this..

 

Anyhow. If anyone could show me a tutorial that covers this specifically or some suggestions on the best approach to this would be much appreciated..

[OldWest]

Well I was able to figure out a solution with just getting down and dirty with ideas... But I'm not convinced this is 1) A secure method for passing this data and 2) this is the all around best way to pass this data... Here is what I've come to now which IS working:

 

Can you give my your opinion on how you would do this differently?

 

Page 1

<?php
$posting_sql = "SELECT * FROM postings";
$posting_results = (mysqli_query($cxn, $posting_sql)) or die("Was not able to grab the Postings!");
while($posting_row = mysqli_fetch_array($posting_results)) {		
	echo "<li><a href='posting_details.php?id=$posting_row[id]&title=$posting_row[title]&description=$posting_row[description]'>$posting_row[title]</a></li>";
}
?>

 

 

Page 2

<h2><?php $title = $_GET['title']; echo $title; ?></h2>

<p><?php $description = $_GET['description']; echo $description; ?></p>

[OldWest]

The problem with the way I am doing it now as in my last code snippet in this post, ALL of the id title and description are passed in the url!!! Makes a very LONG url string which is gross!!

 

Can anyone guide me to a tutorial or just tell me plain outright if the way I am doing it is TOTALLY wrong? I am guessing I am doing this all wrong cause after 3.5 hours on google, I could not find a working answer or description of what I am trying to do.

 

SOS

[OldWest]

The problem with the way I am doing it now as in my last code snippet in this post, ALL of the id title and description are passed in the url!!! Makes a very LONG url string which is gross!!

 

Can anyone guide me to a tutorial or just tell me plain outright if the way I am doing it is TOTALLY wrong? I am guessing I am doing this all wrong cause after 3.5 hours on google, I could not find a working answer or description of what I am trying to do.

 

SOS

 

<?php
$posting_sql = "SELECT * FROM postings";
$posting_results = (mysqli_query($cxn, $posting_sql)) or die("Was not able to grab the Postings!");
while($posting_row = mysqli_fetch_array($posting_results)) {		
	echo "<li><a href='posting_details.php?id=$posting_row[id]&title=$posting_row[title]&description=$posting_row[description]'>$posting_row[title]</a></li>";
}
?>

 

[trq]

Just post the id, then on the posting_details.php script, use that id to execute another query and get all the details.

[OldWest]

Just post the id, then on the posting_details.php script, use that id to execute another query and get all the details.

 

Nice. That worked perfect.. working as expected now 

 

Would you mind telling me if my code seems optimal for what I am doing or do you think there is a better method to this?

 

Here is my working code:

 

Page 1:

<?php
$posting_sql = "SELECT * FROM postings";
$posting_results = (mysqli_query($cxn, $posting_sql)) or die("Was not able to grab the Postings!");
while($posting_row = mysqli_fetch_array($posting_results)) {
	echo "<li><a href='posting_details.php?id=$posting_row[id]'>$posting_row[title]</a></li>";
}
?>

 

Page 2:

<?php
$posting_sql = "SELECT * FROM postings WHERE id='$_GET[id]'";
$posting_results = (mysqli_query($cxn, $posting_sql)) or die("Was not able to grab the Postings!");
$posting_row = mysqli_fetch_array($posting_results);
?>

<p>MySQL Primary Index ID: <?php echo $posting_row['id']; ?></p>

<h2>Product Title: <?php echo $posting_row['title']; ?></h2>

<p><strong>Product Description: </strong> <?php echo $posting_row['description']; ?></p>

 

 

 

 

[trq]

While your code is working, it is far from well written, for a few reasons.

 

You should only ever query your tables for the data you need, don't use SELECT * And take a look at LIMIT

 

You should always sanitize user input. Using $_GET['id'] directly in a query opens all sorts of security holes. See mysql_real_escape_string.

 

You should ALWAYS check your queries succeed and actually return results bofore you start passing any result to functions such as mysql_fetch_*

[OldWest]

thorpe,

I updated my script and it's working fine, but is this the best it can be in terms of security? Should I also escape the id and city_name? the id is auto increment inserted and city_name is a select box which has predefined values.. thanks for any critique.

 

$title = mysqli_real_escape_string($cxn,$_POST['title']); // cleans the data that is passed.
$description = mysqli_real_escape_string($cxn,$_POST['description']); // cleans the data that is passed.
  
      $query = "INSERT INTO Postings (id, city_id, title, description) VALUES
('','$_POST[city]','$title','$description')" or mysqli_error();

[trq]

Any data coming from a user needs to be escaped, whether they are coming from a pre-defined select box or not, doesn't matter. Client data should not be trusted.

[OldWest]

Nice. Thanks

[PFMaBiSmAd]

mysqli_error()

 

^^^ If mysqli_error() appears that way in your actual code, when you get a query error, that mysqli_error() statement will produce an error of its own because it requires the $cxn (mysqli link) as a parameter.