Jump to content

Recommended Posts

I have a page that is accessed with this URL:

http://celt.muohio.edu/lillycon/oldpresenters.php?year=2010 (year could equal any of course) and it lists the presenters based on the year variable. That is working fine.  I also want it to load the style.css, the header and the footer based on the year chosen.  That is not working.  Here is the code I currently have.  I didn't write the original code.  I have tried TEMPLATEDIR and TEMPLATEURL but feel like I am missing something obvious.  I am still learning PHP so I am definitely slow on the problem solving end.

 

<?php require 'main_include.php';
$year = mysql_real_escape_string($_GET['year']);
$TEMPLATEDIR = "http://www.units.muohio.edu/lillycon/old/$year";
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Lilly Conference</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="http://celt.muohio.edu/favicon.png" rel="shortcut icon">

<style type="text/css">
@import url("style.css");
</style>
</head>
<body>
<?php
$type = "featured";
$includeFile = file_get_contents("lillyheader.php");
	echo $includeFile;

//	Builds a list of all presenters and their sessions; ECHOs each individual entry for faster to-browser dumping in these long lists.
echo "<h1>Lilly $useyear Presenters and Topics</h1>"; 
$bigList = presentersForYear($year,$type);

if (count($bigList)>0) {
	foreach ($bigList as $value) {
		echo general($value,$year);
	}
} else {
	echo "<h4>No $type sessions have been confirmed yet, but please check back soon.</h4>";
}

if (isset($_GET['presenter'])) { echo longbio($_GET['presenter'],$useyear); }
else if (isset($_GET['session'])) { echo sessAbstract($_GET['session'],$useyear); }
else if (isset($_GET['type'])) { echo general_lister($_GET['type'],$useyear); }
else { echo general_lister('featured',$year); }


$includeFile = file_get_contents("lillyfooter.php");
	echo $includeFile; ?>
</body>
</html>

This is also wrong:

$year = mysql_real_escape_string($_GET['year']);

 

You do not use the year variable in an SQL query, so why would you add escaping for it as if you were? What you want to do here, is input validation, not escaping. Which means you want to verify that the value of said variable ($_GET['year']) is indeed a 4-digit number which relates to a valid year.

If not, show an error and/or pick the default (current) year. I recommend doing both, so that the user knows that there's something wrong, and why.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.