Results 1 to 25 of 31
Jun 20, 2007, 11:17 #26
- Join Date
- Sep 2006
- Fairbanks, AK
- 0 Post(s)
- 0 Thread(s)
Tackling in reverse order just for the heck of it (and because I haven't had my coffee yet ):
The var_dump lines were mostly for your educational benefit - I wanted you to see what exactly was being returned so that you could figure out for yourself how to display things in the way that you wanted. Of course, I hadn't counted on there being an error in your .htaccess, so they turned into debugging output (and lead us to the root of the problem, i.e. that we weren't getting a $_GET['photo_id'] parameter).
You have to run your MySQL code before you have anything in $row['title'] to display. Just put that code up top and then you'll be able to insert the gallery title into your browser's title bar with no problems.
Notice in the SQL statement I added ((int)$_GET['photo_id']) - this is a basic method called type-casting that forces the value inserted into the string to be an integer. This effectively stops any/all forms of SQL injection since there is nothing that a 32-bit (or even 64- or 128-bit) integer can do to SQL. The absolute worst case is that a malformed request will result in no rows returned, which is not a Bad Thing.
The reason you had to select photo_id is because you were using $row['photo_id'] in your output; I would recommend instead not selecting photo_id in the query and instead using $_GET['photo_id'] in your output - this will be more efficient (albeit not noticeably so) but more importantly follows best practice guidelines.
I'd recommend a change to your .htaccess rule that will further protect your script: since your photo_id is always numeric (at least, I'm assuming - I just realized that you've never confirmed that and I've been assuming the whole time, so if I'm wrong ignore the rest of this paragraph), change your rule to beCode:
RewriteRule ^/?bigimage/([0-9]+)$ bigimage.php?photo_id=$1 [L]