How can I call for a photograph by id without a mention of .jpg

Tackling in reverse order just for the heck of it (and because I haven't had my coffee yet (: ):

The var_dump lines were mostly for your educational benefit - I wanted you to see what exactly was being returned so that you could figure out for yourself how to display things in the way that you wanted. Of course, I hadn't counted on there being an error in your .htaccess, so they turned into debugging output (and lead us to the root of the problem, i.e. that we weren't getting a $_GET['photo_id'] parameter).

You have to run your MySQL code before you have anything in $row['title'] to display. Just put that code up top and then you'll be able to insert the gallery title into your browser's title bar with no problems.

Notice in the SQL statement I added ((int)$_GET['photo_id']) - this is a basic method called type-casting that forces the value inserted into the string to be an integer. This effectively stops any/all forms of SQL injection since there is nothing that a 32-bit (or even 64- or 128-bit) integer can do to SQL. The absolute worst case is that a malformed request will result in no rows returned, which is not a Bad Thing.

The reason you had to select photo_id is because you were using $row['photo_id'] in your output; I would recommend instead not selecting photo_id in the query and instead using $_GET['photo_id'] in your output - this will be more efficient (albeit not noticeably so) but more importantly follows best practice guidelines.

I'd recommend a change to your .htaccess rule that will further protect your script: since your photo_id is always numeric (at least, I'm assuming - I just realized that you've never confirmed that and I've been assuming the whole time, so if I'm wrong ignore the rest of this paragraph), change your rule to be

Code:

---

RewriteRule ^/?bigimage/([0-9]+)$ bigimage.php?photo_id=$1 [L]

---

This will ensure that any request to /bigimage/whatever will give you a numeric photo_id. However, this does not lift the responsibility of validating your input (i.e. forcing $_GET['photo_id'] to be an integer before putting it into the SQL query), because someone who knows what's going on behind the scenes (like, say, anyone who reads this thread) can make a request directly to bigimage.php and bypass your rewrite rule altogether. Changing your rewrite rule is just one more layer to keep malformed data away from where it can do Bad Things, although in this case it's not going to add any extra security (yup, you guessed it, it's following best practice guidelines!).

it's following best practice guidelines! :lol: :D good stuff!

Quote:

---

The var_dump lines were mostly for your educational benefit

---

Yes I understand this now, thanks.

Quote:

---

You have to run your MySQL code before you have anything in $row['title'] to display. Just put that code up top and then you'll be able to insert the gallery title into your browser's title bar with no problems.

---

Do you mean before <html> ?

PHP Code:

---

<?php
    require_once('includes/mysql_connect.inc.php');
    
    $sql = "SELECT title, DATE_FORMAT(gallery.date, '%M %D %Y') AS dr, caption
    FROM photos
    LEFT JOIN gallery
    ON gallery.date = photos.date
    WHERE photo_id = ".((int)$_GET['photo_id']);
    $result = @mysql_query($sql) or die('Error: ' . mysql_error());
    while ($row = mysql_fetch_array ($result)) {
    echo '<h1>' . $row['title'] . '</h1><p>Date: ' . $row['dr'] . '</p><a href="javascript:history.go(-1)"><img src="images/170307/' . $row['photo_id'] . '.jpg" title="' . $row['caption'] . '"></a><h5>' . $row['caption'] . '</h5>';

    } 

 ?>

---

<html>
<head>
<title><?php echo $row['title'] ?></title>

..

but I want (below) in the <body> how do I break this up? Just open and close the php tags? do i just run up to while ($row = mysql_fetch_array ($result)) { before the <html> then echo my $rows where needed?:
<body>
<p>welcome</p>

PHP Code:

---

echo '<h1>' . $row['title'] . '</h1><p>Date: ' . $row['dr'] . '</p><a href="javascript:history.go(-1)"><img src="images/170307/' . $row['photo_id'] . '.jpg" title="' . $row['caption'] . '"></a><h5>' . $row['caption'] . '</h5>'; 


---

...
...
<h1>

PHP Code:

---

<?php echo $row['title'] ?>

---

</h1>

blar.. more html stuff

then example, another

<h1>

PHP Code:

---

<?php echo $row['something'] ?>

---

</h1>

</body>
?

Quote:

---

Notice in the SQL statement I added ((int)$_GET['photo_id']) - this is a basic method called type-casting that forces the value inserted into the string to be an integer.

---

yes am with you on that, I understand what you mean, thanks

Quote:

---

The reason you had to select photo_id is because you were using $row['photo_id'] in your output; I would recommend instead not selecting photo_id in the query and instead using $_GET['photo_id'] in your output - this will be more efficient (albeit not noticeably so) but more importantly follows best practice guidelines.

---

how would I put it into output? "not noticeably" where? If i don't select photo_id in the query I cant see the big image?

Quote:

---

I'd recommend a change to your .htaccess rule that will further protect your script: since your photo_id is always numeric (at least, I'm assuming..

---

yes right again :) thanks a lot

Lots of questions.

Yes, break up your block of PHP. Run your query at the top, including the $row=mysql_fetch_array($result); Remember, though, that since you're only selecting a single row the while loop is unnecessary - get rid of it (hadn't we already done that?). Once you do that, everything is in $row that you need to be there, so you can then use it over and over in your script wherever you need it - be that in the title, in the body, whatever. When all's said and done it may look something like this:

Code PHP:

---

<?php
    /*set up database connection here*/
    $sql = /*query here*/;
    $result = mysql_query($sql);
    $row = mysql_fetch_array($result);
?>
<html>
<head>
<title><?php echo $row['title'] ?></title>
</head>
<body>
<?php /*echo what you need here */ ?>
<b>More HTML code, or whatever</b>
<?php /*you can break up your PHP as much as your need to this way*/ ?>
</body>
</html>

---

As for the $_GET['photo_id'] in your output, it's a simple matter of replacing $row['photo_id'] with $_GET['photo_id'] in your echo. The reason we're doing this is because we already have this data (it's in $_GET['photo_id']), so what's the point of going to the database to get it? All we accomplish by going to the database to get what we already have is increasing database read time and increasing memory requirements to store the result. In this case, the increase in read time is 0 because photo_id happens to be an index, and the increase in memory is only 4 bytes (it's an integer), so we're not gaining anything in this particular instance. I'm only harking on it here to illustrate best practices and to get you into good habits before the bad ones start to form.

lots of questions :lol: hungry for input.. Thanks!

Quote:

---

Remember, though, that since you're only selecting a single row the while loop is unnecessary - get rid of it (hadn't we already done that?).

---

yes i think we did, just getting distracted by the problems..

Quote:

---

it's a simple matter of replacing $row['photo_id'] with $_GET['photo_id'] in your echo..

---

With you on that, thanks for the example

Quote:

---

I'm only harking on it here to illustrate best practices and to get you into good habits before the bad ones start to form.

---

I appreciate that GREATLY! :) :)

I'm hoping to take these examples and knowledge I've gathered and get this finished myself..

Again, big thanks for your time and examples kromey, until the next thread, Thank You! :)

Quote:

---

Originally Posted by computerbarry

Again, big thanks for your time and examples kromey, until the next thread, Thank You! :)

---

I take it, then, that we have solved all your problems. :) At least, for now. ;) Always happy to spread the knowledge. :teach:

Yes :) thanks!