[SOLVED] how to use $_GET within a mysql_query??

[Malevolence]

Hi,

 

I'm in a bit of a sticky situation. Y'See, I have made a page construct a link that looks a little bit like this:

 

http://www.runescapez.com/itempage.php?itemid=00007

 

And I want to make a page that then uses the $_GET method to run a mysql_query.

 

This part of the code that is relevant:

 

<?php
$result = mysql_query("SELECT * FROM items WHERE itemid = '$_GET["itemid"]'");
$row = mysql_fetch_array($result)
?>

 

OR

 

<?php
$getid = $_GET["itemid"]
$result = mysql_query("SELECT * FROM items WHERE itemid = '$getid'");
$row = mysql_fetch_array($result)
?>

 

When I try to view the page, it comes up with this error:

 

Parse error: syntax error, unexpected T_VARIABLE in ~hidden~ on line 19

 

How else could I extract the 'itemid' from the url (itempage.php?itemid=#here) and then use that to run a mysql_query to get all the matching fields where itemid= the get results?

 

The reason I want this data is to show a page that shows bits of 1 set of data using something like this:

 

Examine: <?php echo $row['examine'] ?>

- examine is a field in the table.

 

How could I do this?

 

Thanks in advance,

Malev.

[pocobueno1388]

Your getting the error from this line

$row = mysql_fetch_array($result)

 

Your missing the semi-colon at the end.

 

Also, make sure your sanitizing the input from the URL before you use it in your query.

[codebyren]

well, i just had a quick glance but that sort of error message usually means that you are just missing something simple in your code.

 

An example is like leaving a semicolon ; off the end of a line.

 

I'm fairly new at this myself but try this as your select statement...

 

"SELECT * FROM items WHERE itemid ='".$_GET['itemid']."'"

 

good luck.

 

Also, remember to 'sanitize' your $_GET data before using it in a mysql query...

[Malevolence]

What does 'sanitize' mean???

[codebyren]

It just means you're securing it from attacks made by "malevolent" users.

 

http://nz2.php.net/mysql_real_escape_string

 

It's an unfortunately critical side of the learning process...

[Malevolence]

Thank you two very much.

 

It works now; if you goto this page:

www.runescapez.com/itemsdbbeta.php and choose an item; it works.

 

Thanks again!

Malev.

[redarrow]

what you want

<?php
if($_GET['itemid']){
$getid=trim($_POST['itemid']);
$getid = $_GET["itemid"];
$result = mysql_query("SELECT * FROM items WHERE itemid = '$getid'");
$row = mysql_fetch_array($result);
}
?>

[Malevolence]

Right, is that because you need to POST the itemname so that say a Search Engine comes along and tries to 'Spider' the page, it'll do it properly?

 

Because the url remains the same with that 'sanitize' script, ultimately making no difference for 'Malevolent' people... *Good use of Malevolent behicthebuilder*.

 

I'll set this post to 'Solved' when I find out about sanitization.

[redarrow]

Right, is that because you need to POST the itemname so that say a Search Engine comes along and tries to 'Spider' the page, it'll do it properly?

 

no we use POST to post varables/info to the correct varable set so it get's there.....

 

 

sanitization

 

used for information posted to the database.....

 

update or insert

 

addslashes();

mysql_real_escape_string();

 

common ones above.......

 

 

$_GET[''] get the info in a url as you no,

but it always usefull to set a condition for the get

so people dont spam ur database.....

 

spiders/bots dont like php they only use html/css

 

good luck........

[Malevolence]

Thanks Again... I think that's all there is left to do except for image upload, but I'll ask about that later in a different post.

 

Thanks RA for explaining to me what Sanitization is :S

 

Regards,

Malev.