Jump to content

Recommended Posts

Hi all...

 

I've searched up and down but don't think I'm searching for the right terms.

 

I have a database that takes a query and returns results - just fine. Works like a charm.

 

What I would like to do is take the same query that was just run and send it to another page that has the same results laid out a little differently.

 

I've tried messing around with the whole $_GET thing but to no avail. I've also tried sending it as a hidden variable (input type='hidden' name='query' value='$query') but to no avail here either.

 

Anybody willing to give me a hint as to how to pass the same query to another page?

 

Thanks!

 

Link to comment
https://forums.phpfreaks.com/topic/57959-send-query-to-another-page/
Share on other sites

Page 1:

<input type='hidden' name='query' value='$query'>

 

New Page:

$query = $_GET['query'];

mysql_connect("blah","blah","blah");
mysql_select_db("blah") or die("Unable to select database");

$query = "$query";

$numresults=mysql_query($query);

$numrows=mysql_num_rows($numresults);

 

Again, I just want the new page to run the same query the original did. I just need to pass the query from Page 1 to the New Page. Is that enough code?

 

 

OK first off this is a reallllllllly BAD idea..

 

but if you must then i would suggect using sessions instead..

 

if you must use a form to pass the data then use POST

 

if you must use get then use urlencode..

 

personally i would just send the varible and a control word..

 

ie

 

<input type='hidden' name='UID' value='$userid'>
<input type='hidden' name='CONTROL' value='usergallery'>

 

 

<?php
$UID= (int)$_GET['UID'];

mysql_connect("blah","blah","blah");
mysql_select_db("blah") or die("Unable to select database");

switch($_GET['CONTROL'])
{
case "userprofile":
$query = "select profile FROM users where userid=$UID";
break;
case "usergallery":
$query = "select gallerystuff FROM users where userid=$UID";
braak;


}


$numresults=mysql_query($query);

$numrows=mysql_num_rows($numresults);
?>

Is there a security issue?

 

Because of the potential for injection attacks.  This can be 'worked around' but the fact that you are even asking the question suggests that you won't have worked around it.  In fact it suggests to me that your method of generating the query in the first place is risky as I am guessing that you are generating it from user input?

 

Ok... now I'm wondering. I don't think there's anything initially wrong with the way that the first query is done (or is there?). It's just your basic form with multiple search fields.

 

<table>
...
<tr>
<td>Zip Code:</td>
<td><input type='text' name='zipcode' size='47'></td>
</tr>
</table>

<table>
<tr>
<td>
<input type='checkbox' name='day[]' value='Sunday'>Sunday 
<input type='checkbox' name='day[]' value='Monday'>Monday 
<input type='checkbox' name='day[]' value='Tuesday'>Tuesday 
<input type='checkbox' name='day[]' value='Wednesday'>Wednesday 
<input type='checkbox' name='day[]' value='Thursday'>Thursday 
<input type='checkbox' name='day[]' value='Friday'>Friday 
<input type='checkbox' name='day[]' value='Saturday'>Saturday
</td>
</tr>
</table>

 

Two examples of the input used to perform a search. There are several more text input fields and several more checkbox fields to further limit the search. When you say "user input", what exactly are you talking about? The text input fields? Something else?

 

Could you provide me with some reading on the issue that you see? I would really like to read into this and deal with issues that I'm apparently overlooking where a simple search query is concerned.

Sorry for double posting, and that my last post was so short (I had to rush off).

 

The article I link to above is a good intro but then check this for information that is more directly related to your specific needs with PHP and MySQL:

 

http://uk2.php.net/mysql_real_escape_string

 

By the time you've read stuff about mysql_real_escape_string you'll see how to protect yourself.

 

Note that anything in $_GET or $_POST i.e. user input should be treated with caution.  In both cases the viewer can mess with them.  They can put stuff into $_GET by adding them to the URL and they can put stuff into $_POST by creating their own HTML form and sending it to your PHP script for processing.

 

You're idea of passing a query is problematic because while your code can check for appropriate values in $_POST['zipcode'] and the like, it's going to be blooming difficult to check that the contents of $_POST['query'] is a 'legal' query generated by your first script, as opposed to something nasty being send from a crackers own HTML form.

 

Better to pass the individual variables so you can check them again before rebuilding the query.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.