Pulling a value from a URL

[SF23103]

Can anyone explain how to pull a value from a url, and use it in php code?

 

Here's what I'm doing.  I created a page (list.php) that pulls a piece of text from a MySQL database.  The text is then a link, which is http://www.domain.com/full.php?id=1 where "1" is the unique ID for that database submission.  I want full.php to then show all of the columns from that database submission.

 

I really hope that makes sense!  In my mind, if I can find a way to pull the unique ID from that URL, I can then display everything from that particular database entry (subject, author, date, time, etc.).

 

Can anyone help me please?  I am sorry if I'm not using the right terms.. I'm quite new to PHP :-)

 

Thanks!!!

[sKunKbad]

<?php

if( isset( $_GET['id'] ) )
{
     echo 'id is ' . (int) $_GET['id'];
}
else
{
     echo 'no id in query string';
}

[SF23103]

Thanks for the help!

 

I can get that number to print on the page, but now I'm trying to use that id number in the following line: 

 

$query="SELECT * FROM aa_data_16 WHERE col_10='THEIDNUMBER'";

 

(THEIDNUMBER should be "1" in:  www.domain.com/file.php?id=1)

[SF23103]

Figured it out!

 

$id = $_GET['id'];
$query="SELECT * FROM data_base_16 WHERE col_10='$id'"; 

[sKunKbad]

Please make sure to validate $id before using it in your query. If you don't, you could suffer from an sql injection attack. A person could craft the value of $id to anything, and they could do anything to your database that the mysql user has privileges to allow.

 

In your case, if $id is always an integer, you should at least do something like:

 

<?php
     $id = (int) $id;
?>

[cyberRobot]

<?php
     $id = (int) $id;
?>

 

 

Keep in mind that the above solution will remove leading zeros, accepts negative numbers (-2), converts anything that leads with a non-number to 0. These types of things will affect the query results.

 

I currently use the following code to validate numbers:

 

<?php
...

if(ctype_digit((string)$id)) {
     //process query
} else {
     //invalid ID, display error
}

...
?>

[sKunKbad]

My point was simply that SF23103 needs to have at least something in the way of validation. Type casting as an integer, or using is_numeric would be a better choice than nothing at all. I had never seen ctype_digit before, but checked it out at php.net. Again, the point is, that left as coded above, there'd be nothing to stop a person from altering the query. SF23103, you need to search Google for "sql injection". There are some good videos out there that teach all about php security. Take the time to learn before creating an application that will get hacked.

[revraz]

A better way would to not use the ID in the URL and use a session to pass it instead.

[cyberRobot]

@sKunKbad - I agree, having some kind of validation is better than using the raw data. Also, I agree that type casting and using is_numeric() would help prevent SQL injection.

 

We just need to keep in mind that both solutions could result in "valid numbers" that may not really be valid according to the database. I've already mentioned the possible issues with type casting.

 

Now is_numeric() on the other hand, the following values will be considered a number:

1e4

9.1

 

 

I had never seen ctype_digit before, but checked it out at php.net.

 

ctype_digit() was suggested to me by another PHPFreaker; I was using a regex solution before that. So far ctype_digit() is my favorite method for validating numbers.

[cyberRobot]

A better way would to not use the ID in the URL and use a session to pass it instead.

 

 

I'm not sure I follow. If a page has a list of items where you can click a link to view one of them, how do you assign the ID to a session before it's sent back to the server?

[SF23103]

Thanks for everyone's help!

 

Basically, there will be a page that will populate with the 5 most recent database entries.  Each of those will be linked to the "full article", a page that displays the entire entry.

 

You are right, id will always be an integer.. so I added the "$id = (int) $id;".

 

I assume it should go first, so it will look like:

 

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");

$id = (int) $id;

$id = $_GET['id']; //this gets the id from the url
$query="SELECT * FROM ft_16 WHERE submission_id='$id'"; //this pulls only that id from the database

$result=mysql_query($query);

$num=mysql_numrows($result);

mysql_close();

[cyberRobot]

The test would actually go after reading in the ID. Also, I would recommend that you put the test in an if statement.

 

if(it's an number) {

    run query

} else {

    display error

}

[cyberRobot]

Or you could save a line of code by doing something like:

 

$id = (int) $_GET['id'];

 

 

Also, to save on database errors, you could use an if statement like:

 

<?php

if($id != '' && $id > 0) {
    //run query
} else {
    //display error
}

?>

[SF23103]

Worked great, thanks!!!

 

 

Or you could save a line of code by doing something like:

 

$id = (int) $_GET['id'];

 

 

Also, to save on database errors, you could use an if statement like:

 

<?php

if($id != '' && $id > 0) {
    //run query
} else {
    //display error
}

?>

[SF23103]

So if someone enters file.php?id='''' it displays an error.  Is it possible to display an error if someone types in file.php?id=99 and there is no 99 in the database?

[cyberRobot]

So if someone enters file.php?id='''' it displays an error.  Is it possible to display an error if someone types in file.php?id=99 and there is no 99 in the database?

 

After running the query, you could use mysql_num_rows() to see if there were any results. If nothing was found, display an error. More information about the function can be found here:

http://php.net/manual/en/function.mysql-num-rows.php