SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    360
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Load content from database based on value from url

    Hi everyone,

    I've created a page where I'm retrieving content from a MySQL database using 2 queries. What I would like to do is have the page load content based on the values passed to it along in an url.

    If someone knows, then please help me out.

    Thank you for your time!


    //first query:

    PHP Code:
    $q "SELECT m.messages, m.name, f.forum  FROM messages AS m INNER JOIN forum AS f WHERE m.name = 'simpson' "
    //second query:

    PHP Code:
    $b "SELECT m.messages, m.name, f.forum  FROM messages AS m INNER JOIN forum AS f WHERE f.forum = 'foo' "
    Would the url be something like:

    index.php?name=simpson&forum=foo

    I'm not competely sure how my queries should be coded on the receiving page:

    WHERE m.name = '?' ";

  2. #2
    Community Advisor bronze trophy
    fretburner's Avatar
    Join Date
    Apr 2013
    Location
    Brazil
    Posts
    1,389
    Mentioned
    45 Post(s)
    Tagged
    12 Thread(s)
    Hey RedBishop,

    Quote Originally Posted by RedBishop View Post
    Would the url be something like:

    index.php?name=simpson&forum=foo
    Yeah, if you pass the data like that, it will be available in PHP via the $_GET global variable.

    Quote Originally Posted by RedBishop View Post
    I'm not competely sure how my queries should be coded on the receiving page:

    WHERE m.name = '?' ";
    Whenever you're working with data that can be passed into your script by a user, you want to make sure you escape it before using it in a DB query. How you do that depends on which DB extension you're using: are you using MySQLi or PDO?

  3. #3
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    360
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi there fretburner,

    always good to hear from you.

    I'm using a MySQLi connection at the moment.



    Thanks!

  4. #4
    Community Advisor bronze trophy
    fretburner's Avatar
    Join Date
    Apr 2013
    Location
    Brazil
    Posts
    1,389
    Mentioned
    45 Post(s)
    Tagged
    12 Thread(s)
    You could do something like this:

    PHP Code:
    $name filter_input(INPUT_GET'name'FILTER_SANITIZE_STRING);

    if (
    $name) {
        
    $stmt $mysqli->prepare("SELECT m.messages, m.name, f.forum  FROM messages AS m INNER JOIN forum AS f WHERE m.name = ?");
        
    $stmt->bind_param('s'$name);
        
    $stmt->execute();

    The filter_input function will return null if $_GET['name'] isn't set, so the IF check would skip the query. Using a prepared statement and bound params ensures that the contents of $name will be escaped before the query is executed, which prevents SQL injection attacks.

  5. #5
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    360
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi fretburner,

    thanks a lot for your help. I appreciate you including measures to secure the code.

    I'll try out the code a bit later.


    Have a good day!

  6. #6
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    360
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi fretburner,

    sorry to be a pain, but I got to ask something again. How do I combine the code you provided with the query code I'm currently using?

    As it stands, my query starts with $q = "SELECT m.messages etc..."

    and then:

    PHP Code:
    $r = @mysqli_query ($dbc$q);     
    $num mysqli_num_rows($r);

    if (
    $num 0) { 
    $row mysqli_fetch_array($rMYSQLI_ASSOC); {
        
    Print 
    '<p>hi</p>'
    I've been fiddling around for some time without success.

    If you have a spare moment...

    Thanks!!

  7. #7
    Community Advisor bronze trophy
    fretburner's Avatar
    Join Date
    Apr 2013
    Location
    Brazil
    Posts
    1,389
    Mentioned
    45 Post(s)
    Tagged
    12 Thread(s)
    Quote Originally Posted by RedBishop View Post
    sorry to be a pain, but I got to ask something again. How do I combine the code you provided with the query code I'm currently using?
    OK, so looking at your code you're using mysqli procedural style, so assuming that your DB connection is in $dbc, try this:

    PHP Code:
    $name filter_input(INPUT_GET'name'FILTER_SANITIZE_STRING);

    if (
    $name) {
        
    $name mysqli_real_escape_string($dbc$name);
        
        
    $q "SELECT m.messages, m.name, f.forum FROM messages AS m INNER JOIN forum AS f WHERE m.name = '$name'";
        
    $r = @mysqli_query($dbc$q);   
      
        
    $num mysqli_num_rows($r);
        if (
    $num 0) { 
            
    $row mysqli_fetch_array($rMYSQLI_ASSOC);
            
            
    // Do more stuff here
        
    }

    I've changed the code slightly: rather than use a prepared statement, I've manually escaped $name with the mysqli_real_escape_string function, as it fits in better with your current style of code.

  8. #8
    SitePoint Addict
    Join Date
    Jul 2013
    Location
    South of the equator, then turn left
    Posts
    360
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey fretburner,

    it's working great now - thank you very much! You're a big help.


    Cheers


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •