SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 31 of 31
  1. #26
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Tackling in reverse order just for the heck of it (and because I haven't had my coffee yet ):

    The var_dump lines were mostly for your educational benefit - I wanted you to see what exactly was being returned so that you could figure out for yourself how to display things in the way that you wanted. Of course, I hadn't counted on there being an error in your .htaccess, so they turned into debugging output (and lead us to the root of the problem, i.e. that we weren't getting a $_GET['photo_id'] parameter).

    You have to run your MySQL code before you have anything in $row['title'] to display. Just put that code up top and then you'll be able to insert the gallery title into your browser's title bar with no problems.

    Notice in the SQL statement I added ((int)$_GET['photo_id']) - this is a basic method called type-casting that forces the value inserted into the string to be an integer. This effectively stops any/all forms of SQL injection since there is nothing that a 32-bit (or even 64- or 128-bit) integer can do to SQL. The absolute worst case is that a malformed request will result in no rows returned, which is not a Bad Thing.

    The reason you had to select photo_id is because you were using $row['photo_id'] in your output; I would recommend instead not selecting photo_id in the query and instead using $_GET['photo_id'] in your output - this will be more efficient (albeit not noticeably so) but more importantly follows best practice guidelines.

    I'd recommend a change to your .htaccess rule that will further protect your script: since your photo_id is always numeric (at least, I'm assuming - I just realized that you've never confirmed that and I've been assuming the whole time, so if I'm wrong ignore the rest of this paragraph), change your rule to be
    Code:
    RewriteRule ^/?bigimage/([0-9]+)$ bigimage.php?photo_id=$1 [L]
    This will ensure that any request to /bigimage/whatever will give you a numeric photo_id. However, this does not lift the responsibility of validating your input (i.e. forcing $_GET['photo_id'] to be an integer before putting it into the SQL query), because someone who knows what's going on behind the scenes (like, say, anyone who reads this thread) can make a request directly to bigimage.php and bypass your rewrite rule altogether. Changing your rewrite rule is just one more layer to keep malformed data away from where it can do Bad Things, although in this case it's not going to add any extra security (yup, you guessed it, it's following best practice guidelines!).
    PHP questions? RTFM
    MySQL questions? RTFM

  2. #27
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    it's following best practice guidelines! good stuff!

    The var_dump lines were mostly for your educational benefit
    Yes I understand this now, thanks.

    You have to run your MySQL code before you have anything in $row['title'] to display. Just put that code up top and then you'll be able to insert the gallery title into your browser's title bar with no problems.
    Do you mean before <html> ?
    PHP Code:
    <?php
        
    require_once('includes/mysql_connect.inc.php');
        
        
    $sql "SELECT title, DATE_FORMAT(gallery.date, '%M %D %Y') AS dr, caption
        FROM photos
        LEFT JOIN gallery
        ON gallery.date = photos.date
        WHERE photo_id = "
    .((int)$_GET['photo_id']);
        
    $result = @mysql_query($sql) or die('Error: ' mysql_error());
        while (
    $row mysql_fetch_array ($result)) {
        echo 
    '<h1>' $row['title'] . '</h1><p>Date: ' $row['dr'] . '</p><a href="javascript:history.go(-1)"><img src="images/170307/' $row['photo_id'] . '.jpg" title="' $row['caption'] . '"></a><h5>' $row['caption'] . '</h5>';

        } 

     
    ?>
    <html>
    <head>
    <title><?php echo $row['title'] ?></title>

    ..

    but I want (below) in the <body> how do I break this up? Just open and close the php tags? do i just run up to while ($row = mysql_fetch_array ($result)) { before the <html> then echo my $rows where needed?:
    <body>
    <p>welcome</p>
    PHP Code:
    echo '<h1>' $row['title'] . '</h1><p>Date: ' $row['dr'] . '</p><a href="javascript:history.go(-1)"><img src="images/170307/' $row['photo_id'] . '.jpg" title="' $row['caption'] . '"></a><h5>' $row['caption'] . '</h5>'
    ...
    ...
    <h1>
    PHP Code:
    <?php echo $row['title'?>
    </h1>

    blar.. more html stuff

    then example, another

    <h1>
    PHP Code:
    <?php echo $row['something'?>
    </h1>

    </body>
    ?

    Notice in the SQL statement I added ((int)$_GET['photo_id']) - this is a basic method called type-casting that forces the value inserted into the string to be an integer.
    yes am with you on that, I understand what you mean, thanks

    The reason you had to select photo_id is because you were using $row['photo_id'] in your output; I would recommend instead not selecting photo_id in the query and instead using $_GET['photo_id'] in your output - this will be more efficient (albeit not noticeably so) but more importantly follows best practice guidelines.
    how would I put it into output? "not noticeably" where? If i don't select photo_id in the query I cant see the big image?

    I'd recommend a change to your .htaccess rule that will further protect your script: since your photo_id is always numeric (at least, I'm assuming..
    yes right again thanks a lot

  3. #28
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Lots of questions.

    Yes, break up your block of PHP. Run your query at the top, including the $row=mysql_fetch_array($result); Remember, though, that since you're only selecting a single row the while loop is unnecessary - get rid of it (hadn't we already done that?). Once you do that, everything is in $row that you need to be there, so you can then use it over and over in your script wherever you need it - be that in the title, in the body, whatever. When all's said and done it may look something like this:
    Code PHP:
    <?php
        /*set up database connection here*/
        $sql = /*query here*/;
        $result = mysql_query($sql);
        $row = mysql_fetch_array($result);
    ?>
    <html>
    <head>
    <title><?php echo $row['title'] ?></title>
    </head>
    <body>
    <?php /*echo what you need here */ ?>
    <b>More HTML code, or whatever</b>
    <?php /*you can break up your PHP as much as your need to this way*/ ?>
    </body>
    </html>
    As for the $_GET['photo_id'] in your output, it's a simple matter of replacing $row['photo_id'] with $_GET['photo_id'] in your echo. The reason we're doing this is because we already have this data (it's in $_GET['photo_id']), so what's the point of going to the database to get it? All we accomplish by going to the database to get what we already have is increasing database read time and increasing memory requirements to store the result. In this case, the increase in read time is 0 because photo_id happens to be an index, and the increase in memory is only 4 bytes (it's an integer), so we're not gaining anything in this particular instance. I'm only harking on it here to illustrate best practices and to get you into good habits before the bad ones start to form.
    PHP questions? RTFM
    MySQL questions? RTFM

  4. #29
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    lots of questions hungry for input.. Thanks!

    Remember, though, that since you're only selecting a single row the while loop is unnecessary - get rid of it (hadn't we already done that?).
    yes i think we did, just getting distracted by the problems..

    it's a simple matter of replacing $row['photo_id'] with $_GET['photo_id'] in your echo..
    With you on that, thanks for the example

    I'm only harking on it here to illustrate best practices and to get you into good habits before the bad ones start to form.
    I appreciate that GREATLY!

    I'm hoping to take these examples and knowledge I've gathered and get this finished myself..

    Again, big thanks for your time and examples kromey, until the next thread, Thank You!

  5. #30
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by computerbarry View Post
    Again, big thanks for your time and examples kromey, until the next thread, Thank You!
    I take it, then, that we have solved all your problems. At least, for now. Always happy to spread the knowledge.
    PHP questions? RTFM
    MySQL questions? RTFM

  6. #31
    SitePoint Wizard
    Join Date
    Dec 2005
    Posts
    1,711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes thanks!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •