Check that page exists

[MistorClinky]

Hi Everyone

I'm having some trouble with my webpage for a school project. I am working on a one-page website which displays information which changes depending on what the user clicks on. This is how the page looks

http://imgur.com/HfUfkfU

 

If you take a look at the URL you will see the content changes depending on what the user has previously clicked on

http://imgur.com/TNfh4Ln

 

I need to get the page working so that if someone enters a gameID that doesn't exist in my database, they will be returned to the home page - 'index.php'

 

This is an image of how my database is structured. Database is called 'assessment', table is called 'games'

http://imgur.com/eLaZJgJ

 

This is how the code looks at the moment. If you look underneath the second comment you will see that this space is empty. This is where I will implement the error checking but this can be easily changed

So like I the comment says I need to check that set gameID exists in database, if not send user to index.php (home page)

Thankyou so much for any help!!!!!

<?php 
	// check that gameID has been set, if not return user to index.php (home page)
	if(!isset($_GET['gameID']) OR !is_numeric($_GET['gameID'])) 
	{
		header("Location: index.php");
	}
	
	// check that set gameID exists in database, if not send user to index.php (home page)
	
		
	
	$display_sql="SELECT * FROM games WHERE gameID=".$_GET['gameID'];
	if($display_query=mysqli_query($dbconnect, $display_sql)) {
		$display_rs=mysqli_fetch_assoc($display_query);
		?>
		<h1><?php echo $display_rs['game']; ?></h1>
		<h2><?php echo $display_rs['developer']; ?></h2>
		<img class="full" src="images/fullsizescreenshots/<?php echo $display_rs['image']; ?>"></img>
		<p><?php echo $display_rs['description']; ?></p>
		<?php
	}
?>

[Sepodati]

That flow seems like it'd be confusing to the user. Why not display a message saying no such ID exists. If you just redirect, the user has no idea what happened.

 

You're already determining whether the ID exists in the current query. If no rows are returned, then no ID was matched.

[MistorClinky]

That flow seems like it'd be confusing to the user. Why not display a message saying no such ID exists. If you just redirect, the user has no idea what happened.

 

You're already determining whether the ID exists in the current query. If no rows are returned, then no ID was matched.

 

Hi thanks for your response. Yep that sounds good I will display an error message instead!

The problem is after this if statement runs the page appears blank. If I stuck an 'echo error message' would that display instead?

if($display_query=mysqli_query($dbconnect, $display_sql)) {
        $display_rs=mysqli_fetch_assoc($display_query);

[Jacques1]

First off, learn how to use mysqli correctly. Or even better: Switch to PDO. As long as you have a big SQL injection vulnerability in your code (which can also be triggered purely by accident), it makes no sense to argue about rendering details.

 

When that's done, I suggest you approach the problem more systematically. There are effectively four different cases:

• The game ID is missing altogether.
• The ID is present but malformed. Use ctype_digit() for validation, not is_numeric(). The is_numeric() function accepts all kinds of input formats, including strings like "+0123.45e6".
• The ID is present and formally valid but doesn't point to any existing game.
• The ID is completely valid.

Those cases need to be checked one after another. If the ID is missing or invalid, you should emit a 400 status code (“Bad Request”) and show an error page. If there is no record for the ID, that's a classical 404 case (“Not Found”).

<?php

if (!isset($_GET['game_id']))
{
    show_error_page('Missing URL parameter: game_id', HTTP_CODE_BAD_REQUEST);
    exit;
}

if (!ctype_digit($_GET['game_id']))
{
    show_error_page('Invalid URL parameter: game_id', HTTP_CODE_BAD_REQUEST);
    exit;
}

// the game_id is formally valid, try to get the game from the database
$game_stmt = $dbconnect->prepare('
    SELECT
        game,           -- always select *specific* rows
        developer,
        image,
        description
    FROM
        games
    WHERE
        game_id = ?
');
$game_stmt->bind_param('i', $_GET['game_id']);
$game_stmt->execute();
$game_stmt->bind_result($game, $developer, $image, $description);

// if no record is present, show 404 page
if (!$game_stmt->fetch())
{
    show_error_page('No game found.', HTTP_CODE_NOT_FOUND);
    exit;
}

// *now* you can display the game

Extensive validation may be tedious, but it will massively improve the code quality, debuggability and usability. When there's a problem (and there will be problems), you'll be thankful for every piece of information you can get.