Understanding the GET thing

[burtybob]

i have read the  phpmanual and many tutorials and i did a search on here and i am still stuck.

I can do forms but i cant understand how the URL bit works i will give an example

On websites they use like

profile.php?id=123

and i dont understand how the id=123 bit is generated is it connect to mysql then something else?

I understand everything in green but not the red bits?

[MemphiS]

<?php
$get = $_GET['id'];
?>

<a href='mypage.php?id=33'>GET Function</a>

 

basic get...

[crawlerbasher]

Best way to show this is:

 

<?php
$id = $_GET['id']; // This gets the information from the url like this profile.php?id=123
if ($id) {
include($id.".php"); // if the id was 123 then it will get 123.php
}
?>

 

There are so many uses for this, but be warned you need to learn to protect your script from injection, and thats the hardest part, well for me.

[taith]

Best way to show this is:

 

<?php
$id = $_GET['id']; // This gets the information from the url like this profile.php?id=123
if ($id) {
include($id.".php"); // if the id was 123 then it will get 123.php
}
?>

 

There are so many uses for this, but be warned you need to learn to protect your script from injection, and thats the hardest part, well for me.

 

i disagree... that is VERY insecure...

 

 

 

 

 

<form method="GET" action="?">
<input type=textbox name=text>
<input type=submit>
</form>
<?echo $_GET[text];?>

 

thats one way of using get... could also just manually type it into your urls

[crawlerbasher]

 

i disagree... that is VERY insecure...

 

I did not say it was secure, that was just an exsample.

The code just shows how it works, the acutal script dose need to be worked on better, but its only an exsample.

[burtybob]

In profile.php

<form method="GET" action="?">
<input type=textbox name=text>
<input type=submit>
</form>
<?php 
$id = $_GET[text];
include ('$id.php');
echo $data;
?>

In 123.php

<?php
$data = ben
?>

 

Yet whenever i put 123 in the text box it just gives me a blank page other than the text box?

I now understand the get a lot better thank you guys and girls (if any of you are girls) so i guess some things are just easier to understand when explained in another way so i thank you all for that and please can you help on this bit.

I am on MSN if it easier my msn is bobob24@hotmail.co.uk.

 

[per1os]

You I would highly advise against doing an include on the id. Also I would suggest using ' or " around indexes of an array:

 

<form method="GET" action="?">
<input type=textbox name=text>
<input type=submit>
</form>
<?php 
if (isset($_GET['text'])) {
     $id = $_GET['text'];
     include ("$id.php"); // use double quotes or else the $id is taken literally with single strings.
     echo $data;
     echo "<br />Single Test:" . '$id $id = $id ' . "$id = $id \$id = $id"; // hope that shows you the difference.
}
?>

 

Try that out and see where it gets you, just remember doing that include with get data is very very dangerous and will open you up to be hacked by some script kiddie if you actually use this on a website.

[burtybob]

ok thanks frost i was trying it to work out how get works, when i come to doing the site i will not use the include but i am atm just trying to understand and get it working.

Also is there anyway that using include in that way i could use a function to protect myself against script kiddies?

I will do a post later today to tell if i got it working or not.

[chocopi]

Just out of interest what would be the best way to prevent injections ???

[taith]

htmlentities($string,ENT_QUOTES); and byebye any/all injections...

[chocopi]

so what would the code look like for a basic page with that implimented ??

[burtybob]

yay that worked thank you!

[per1os]

htmlentities($string,ENT_QUOTES); and byebye any/all injections...

 

Will that prevent in including a file from a remote site.

 

IE: if I passed  something like:

getpage.php?id=http://www.somesite.com/thisfilescrewsyou

 

where the real file is

getpage.php?id=http://www.somesite.com/thisfilescrewsyou.php (since he adds .php to the end)

 

And the "thisfilescrewsyou" has some code that is received as text in there that opens up the index file, or all files and writes to it and than closes it, and now all the files on the server or at least the index file are all hi-jacked possibly or overwritten to and screwed...

 

That is the main fear with including get data.

[burtybob]

i have tryed the code and it works thank you i will now somehow make a function to some how stop injection if this is possible.

Is there anyway to do it with a profile page sort of thing?

like Online rpg's do?

 

[trq]

Is there anyway to do it with a profile page sort of thing?

 

Do what?

[burtybob]

using get to make a profile.php and then get the data from the database about each user like a lot of online rpgs do some dont but most use a page like

http://www.game.com/profile.php?id=usersid

 

The page then shows any items that user has bought in the game!

[burtybob]

I posted this yesterday but then when i re read it i found it was not a very good question and example so i have reposted it with more information!

 

I would like to use GET to make a profile.php and then get the data from the database about each user like online rpgs do they use a page like

http://www.game.com/profile.php?id=usersid

 

The page then shows any items that user has bought in the game!

for example

http://sigil.outwar.com/profile.php?id=1

and then it goes up like

http://sigil.outwar.com/profile.php?id=2

and so on

 

Does anyone know how to do this?

 

[per1os]

You need a database first of all, with a table of members.

 

www.mysql.com is probably a good place to start and learn SQL www.google.com can help there.

 

That or find a pre-made RPG script.

[burtybob]

You need a database first of all, with a table of members.

 

www.mysql.com is probably a good place to start and learn SQL www.google.com can help there.

 

That or find a pre-made RPG script.

 

I have the database and do i have to learn sql cant i just use PHPmyadmin or is there some other reason?

I am creating my own game and i am doing it in this way to learn PHP as if i didn't learn PHP while using it i wouldn't be bothered to learn it at all, i plan to completely re code my game once i have learned PHP properly so i have thought about getting a pre-made one but decided against it as i have stated.

 

[chocopi]

Yea you can use PHP MyAdmin, but you could learn SQL just you can understand it for future reference.

 

Ok I have never actually used GET but I will take a stab at it.

 

<?php

$id = $_GET['id'];

$query = mysql_query("SELECT fieldname FROM tablename WHERE id='$id'");
$result = mysql_fetch_assoc($query) or die (mysql_error());
$variable = $result['fieldname'];

echo $variable

?>

 

Hope it helps,

 

~ Chocopi

[burtybob]

Yea you can use PHP MyAdmin, but you could learn SQL just you can understand it for future reference.

 

Ok I have never actually used GET but I will take a stab at it.

 

<?php

$id = $_GET['id'];

$query = mysql_query("SELECT fieldname FROM tablename WHERE id='$id'");
$result = mysql_fetch_assoc($query) or die (mysql_error());
$variable = $result['fieldname'];

echo $variable

?>

 

Hope it helps,

 

~ Chocopi

just glancing at this without knowing much about GET it looks right as long as i remember to connect to database first which is easy enough so i will try this now!

This worked thank you!

[Yesideez]

burtybob, if you want I can PM you with a link which is a MMORPG game I wrote a few years back. Its not finished but you'll be able to get the hang of a lot of useful functions by looking through my source and playing with it.

 

Let me know if you want it.