SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 31

Thread: $_get?

  1. #1
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    $_get?

    I'm making an edit page, I get the content from a database, then, after printing out all the content, I have this:

    PHP Code:
    echo '&nbsp;&nbsp;<a href="'.$domain.''.$path.'edit.php?id='.$row['id'].'">Edit</a> | <a href="'.$domain.''.$path.'delete.php?id='.$row['id'].'">Delete</a> | <a href="'.$domain.''.$path.'move.php?id='.$row['id'].'&amp;pos='.$row['position'].'&amp;dir=up">Move Up</a> | <a href="'.$domain.''.$path.'move.php?id='.$row['id'].'&amp;pos='.$row['position'].'&amp;dir=dwn">Move Down</a>'
    Its kind of ugly, but it turns the edit link into:

    http://www.jabird.com/edit.php?id=1

    it gets the ?id= part from the database, so it is correct depending on the content that comes before it.

    anyway, on edit.php I need it to get the id out of the URL... can I do this with:

    $_GET['id']?

    why I want this is because I am going to do a query, that gets the content out of the database and puts it into a form for me to edit...

    Thanks,
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  2. #2
    SitePoint Member
    Join Date
    Mar 2005
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, $_GET['id'] will obtain the data that is being sent to the script via the URL. For example:
    http://www.mydomain.com/myscript.php?id=100

    Contents of myscript.php:
    Code:
    <?php
    echo $_GET['id'];
    ?>
    will output:
    100

    However, don't forget to clean the data that's coming in from $_GET. Do not trust the data, validate it!
    OverclockersClub.com - Technology News & Hardware Reviews

  3. #3
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    HAHAAH I tried it... It didn't do it the way I thought it would, but it did work and it actually worked with less code and easier!
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  4. #4
    SitePoint Member
    Join Date
    Mar 2005
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Glad you got it working! Don't you love it when code just plain works!
    OverclockersClub.com - Technology News & Hardware Reviews

  5. #5
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got used to it not working right off the bat, and that just made my day better .

    I actually feel like I'm getting a firm grasp on PHP now
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  6. #6
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jabird
    HAHAAH I tried it... It didn't do it the way I thought it would, but it did work and it actually worked with less code and easier!
    Did you validate the code?

  7. #7
    SitePoint Addict
    Join Date
    Feb 2004
    Location
    belfast
    Posts
    386
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dylan B
    Did you validate the code?
    Make sure to add the line
    Code:
    stripslashes($_GET['id'])
    like I pointed out in one of your other posts

    Ronan

  8. #8
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'll add the strip slashes and all that good stuff when I get it fully funcional...

    right now I'm getting:

    Parse error: parse error, unexpected T_VARIABLE in /usr/local/apache2/htdocs/admin/submitedit.php on line 18

    line 18 is:
    $updatetext = @mysql_query('UPDATE news SET newstext='.$_POST['newstext'].'
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  9. #9
    SitePoint Enthusiast
    Join Date
    Jun 2004
    Location
    Williamsport, PA
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Thumbs up Validation... good point!

    OCC you made a really good point. *Always* validate values from a GET request (or POST or any other user input for that matter). I don't have any idea what type of application you are coding, but you said that you have an edit page. Maybe your application has multiple users or maybe only one. But consider a mutliple user application where users have permissions to edit their own content, but not the content of others (pretty standard).

    When user 'jdoe' logs in he sees edit links for article 1 and article 3, which he wrote. He doesn't have an an edit link for article 2 because it was authored by user 'bsmith.' However nothing is stopping jdoe from changing "http://www.yoursite.com/edit.php?id=1" to "http://www.yoursite.com/edit.php?id=2" in his browser.

    Thus you should always
    #1) Correctly escape any GET values that will become part of a system command or SQL statement (BIG SECURITY HOLE IF YOU DON'T).
    #2) Verify that the resource being referenced in the GET value really exists (if appropriate).
    #3) Verify that the user has permission to see it (where appropriate).

    Anyone have anything to add to that? I think this one of those fundemental concepts of PHP coding that a lot of people overlook (I know I did for a long time).

  10. #10
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jabird
    I'll add the strip slashes and all that good stuff when I get it fully funcional...

    right now I'm getting:

    Parse error: parse error, unexpected T_VARIABLE in /usr/local/apache2/htdocs/admin/submitedit.php on line 18

    line 18 is:
    $updatetext = @mysql_query('UPDATE news SET newstext='.$_POST['newstext'].'
    Semicolon

  11. #11
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You pretty much hit my app right on the spot...

    And I just realized where I went horribly wrong I planned the project out so far, and pounded my head against the wall, and I had the brilliant (sarcasm) idea of only have 3 user levels:

    2 == admin
    1 == author
    0 == guest

    well, there will be multiple users, they all get there own page, kind of like a personal blog for every user, that user and the admin are the ONLY ones that can add/edit/delete content on there page, and only the Admin and 1 person (or multiple depending on what the client wants) will be able to edit/add/delete stuff on the main page, so now I have to rethink my sessions a bit...


    Well, actually now that I think of it, I can just find out the user thats logged in username, and if the username isn't equal to the username that has permission to add/edit/delete, he simply doesn't get the add/edit/delete links...
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  12. #12
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dylan B
    Semicolon
    Lines 16-19:
    PHP Code:
     $updatetitle = @mysql_query('UPDATE news SET newstitle='.$_POST['newstitle'].'
         WHERE id='
    .$_GET['id'].''
     
    $updatetext = @mysql_query('UPDATE news SET newstext='.$_POST['newstext'].'
         WHERE id='
    .$_GET['id'].'' 
    thats why it doesn't make sense to me... line 16 doesn't give any errors..
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  13. #13
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You have to end everyline with semi-colon.

  14. #14
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Parse error: parse error, unexpected ';' in /usr/local/apache2/htdocs/admin/submitedit.php on line 17
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  15. #15
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jabird
    Lines 16-19:
    PHP Code:
     $updatetitle = @mysql_query('UPDATE news SET newstitle='.$_POST['newstitle'].'
         WHERE id='
    .$_GET['id'].''
     
    $updatetext = @mysql_query('UPDATE news SET newstext='.$_POST['newstext'].'
         WHERE id='
    .$_GET['id'].'' 
    thats why it doesn't make sense to me... line 16 doesn't give any errors..
    First of all, you aren't validating either $_POST or $_GET vars , second, you need to close the mysql_query parentheses.

  16. #16
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok, I'm validating now, if by validating you mean stripslashes...

    Now it all works, except it doesn't seem to be posting it to MySQL...
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  17. #17
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Heres my submitedit.php code:

    PHP Code:
     <?php
     
    include('../includes/db.php');
     
    ?>
     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
     <html>
     <head>
     <title>Edited</title>
     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
     </head>
     
     <body>
     <?php
     
    echo('This is your edited post:<br />');
     
    $newstitle stripslashes($_POST['newstitle']);
     
    $newstext stripslashes($_POST['newstext']);
     
    $id stripslashes($_GET['id']);
     echo 
    ''.$newstitle.'<br />';
     echo 
    ''.$newstext.'<br />';
     
    $updatetitle = @mysql_query('UPDATE news SET newstitle='.$newstitle.'
         WHERE id='
    .$id.'');
     
    $updatetext = @mysql_query('UPDATE news SET newstext='.$newstext.'
         WHERE id='
    .$id.'');
     
    ?>
     <a href="<?php echo(''.$domain.''.$path.''); ?>">View Site</a>
     </body>
     </html>
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  18. #18
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by jabird
    Ok, I'm validating now, if by validating you mean stripslashes...

    Now it all works, except it doesn't seem to be posting it to MySQL...
    At least run your data through mysql_real_escape_string to escape it.

  19. #19
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alright, I read about it on that page, and I am a little comfused upon how that works...

    it makes absolutely no sense to me
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  20. #20
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    $value = mysql_real_escape_string($_POST['value']);

    stripslashes wont protect you from mysql injections.

  21. #21
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can I stripslashes too? like:
    $value_stripped = stripslashes($value);
    ?

    because now when I view the results, it has 3 \'s before the ''s...

    its still not posting to mysql either =\
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  22. #22
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Alright, I added stripslashes, and it removes all slashes BUT 1... How do I fix this?
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  23. #23
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    <?php
    // Quote variable to make safe
    function quote_smart($value)
    {
       
    // Stripslashes
       
    if (get_magic_quotes_gpc()) {
           
    $value stripslashes($value);
       }
       
    // Quote if not integer
       
    if (!is_numeric($value)) {
           
    $value "'" mysql_real_escape_string($value) . "'";
       }
       return 
    $value;
    }
    Use that function instad of either.

  24. #24
    SitePoint Wizard Dylan B's Avatar
    Join Date
    Jul 2004
    Location
    NYC
    Posts
    1,150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ronanmagee
    Make sure to add the line
    Code:
    stripslashes($_GET['id'])
    like I pointed out in one of your other posts

    Ronan
    stripslashes doesn't realy escape anything o.O

  25. #25
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    My current code is:
    PHP Code:
     $newstitle mysql_escape_string($_POST['newstitle']);
     
    $newstext mysql_escape_string($_POST['newstext']);
     
    $title_stripped stripslashes($newstitle);
     
    $text_stripped stripslashes($newstext);
     
    $id stripslashes($_GET['id']);
     echo 
    '<input value="'.$title_stripped.'" /><br />';
     echo 
    ''.$text_stripped.'<br /><br />';
     
    $updatetitle = @mysql_query('UPDATE news SET newstitle='.$title_stripped.'
         WHERE id='
    .$id.'');
     
    $updatetext = @mysql_query('UPDATE news SET newstext='.$text_stripped.'
         WHERE id='
    .$id.''); 
    What do I need to add/get rid of in there? I'm kinda lost
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •