MistorClinky Posted August 25, 2017 Share Posted August 25, 2017 Hi Everyone I'm having some trouble with my webpage for a school project. I am working on a one-page website which displays information which changes depending on what the user clicks on. This is how the page looks http://imgur.com/HfUfkfU If you take a look at the URL you will see the content changes depending on what the user has previously clicked on http://imgur.com/TNfh4Ln I need to get the page working so that if someone enters a gameID that doesn't exist in my database, they will be returned to the home page - 'index.php' This is an image of how my database is structured. Database is called 'assessment', table is called 'games' http://imgur.com/eLaZJgJ This is how the code looks at the moment. If you look underneath the second comment you will see that this space is empty. This is where I will implement the error checking but this can be easily changed So like I the comment says I need to check that set gameID exists in database, if not send user to index.php (home page) Thankyou so much for any help!!!!! <?php // check that gameID has been set, if not return user to index.php (home page) if(!isset($_GET['gameID']) OR !is_numeric($_GET['gameID'])) { header("Location: index.php"); } // check that set gameID exists in database, if not send user to index.php (home page) $display_sql="SELECT * FROM games WHERE gameID=".$_GET['gameID']; if($display_query=mysqli_query($dbconnect, $display_sql)) { $display_rs=mysqli_fetch_assoc($display_query); ?> <h1><?php echo $display_rs['game']; ?></h1> <h2><?php echo $display_rs['developer']; ?></h2> <img class="full" src="images/fullsizescreenshots/<?php echo $display_rs['image']; ?>"></img> <p><?php echo $display_rs['description']; ?></p> <?php } ?> Quote Link to comment Share on other sites More sharing options...
Sepodati Posted August 25, 2017 Share Posted August 25, 2017 That flow seems like it'd be confusing to the user. Why not display a message saying no such ID exists. If you just redirect, the user has no idea what happened. You're already determining whether the ID exists in the current query. If no rows are returned, then no ID was matched. Quote Link to comment Share on other sites More sharing options...
MistorClinky Posted August 25, 2017 Author Share Posted August 25, 2017 That flow seems like it'd be confusing to the user. Why not display a message saying no such ID exists. If you just redirect, the user has no idea what happened. You're already determining whether the ID exists in the current query. If no rows are returned, then no ID was matched. Hi thanks for your response. Yep that sounds good I will display an error message instead! The problem is after this if statement runs the page appears blank. If I stuck an 'echo error message' would that display instead? if($display_query=mysqli_query($dbconnect, $display_sql)) { $display_rs=mysqli_fetch_assoc($display_query); Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 25, 2017 Share Posted August 25, 2017 First off, learn how to use mysqli correctly. Or even better: Switch to PDO. As long as you have a big SQL injection vulnerability in your code (which can also be triggered purely by accident), it makes no sense to argue about rendering details. When that's done, I suggest you approach the problem more systematically. There are effectively four different cases: The game ID is missing altogether. The ID is present but malformed. Use ctype_digit() for validation, not is_numeric(). The is_numeric() function accepts all kinds of input formats, including strings like "+0123.45e6". The ID is present and formally valid but doesn't point to any existing game. The ID is completely valid. Those cases need to be checked one after another. If the ID is missing or invalid, you should emit a 400 status code (“Bad Request”) and show an error page. If there is no record for the ID, that's a classical 404 case (“Not Found”). <?php if (!isset($_GET['game_id'])) { show_error_page('Missing URL parameter: game_id', HTTP_CODE_BAD_REQUEST); exit; } if (!ctype_digit($_GET['game_id'])) { show_error_page('Invalid URL parameter: game_id', HTTP_CODE_BAD_REQUEST); exit; } // the game_id is formally valid, try to get the game from the database $game_stmt = $dbconnect->prepare(' SELECT game, -- always select *specific* rows developer, image, description FROM games WHERE game_id = ? '); $game_stmt->bind_param('i', $_GET['game_id']); $game_stmt->execute(); $game_stmt->bind_result($game, $developer, $image, $description); // if no record is present, show 404 page if (!$game_stmt->fetch()) { show_error_page('No game found.', HTTP_CODE_NOT_FOUND); exit; } // *now* you can display the game Extensive validation may be tedious, but it will massively improve the code quality, debuggability and usability. When there's a problem (and there will be problems), you'll be thankful for every piece of information you can get. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.