SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Addict lespaulsf's Avatar
    Join Date
    Dec 2006
    Posts
    232
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    $_GET query string question

    Hi

    I'm in the process of creating a online photo gallery and started to think that maybe I'm over using the $_GET to set the URL query string. I have a few questions.

    1) I use bread crumb like navigation so far that lets users know where they are at in the photo gallery. That way if they want to go to a previous gallery they can just click the link and it takes them back. Although every once in a while I have noticed that the ID will not be set when I return to a previous page from a link I made in the breadcrumb. I wonder what is going on. I would say about 1 out of 6 times it will happen.

    2) When you all are setting a $_GET as a variable do you sanitize it someone before you use it for SELECT query.

    I have been checking for the $_GET like this:

    PHP Code:
    if(isset($_GET['albumID'])){
      
    $albumID $_GET['album'];

    Should I be doing it a different way? Also is there a limit of the amount of query string pieces I should put in URL?

    Thanks very much for you efforts of explaining.

  2. #2
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It looks like your checking to see if albumID is set then your trying to get album. Maybe this is why it doesn't work on some pages?

    You defiantly want to check it for any strange characters before using it in a query. Not checking it would be a big security risk as it's easy for anyone to edit the string in the url.

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by lespaulsf View Post
    1) I use bread crumb like navigation so far that lets users know where they are at in the photo gallery. That way if they want to go to a previous gallery they can just click the link and it takes them back. Although every once in a while I have noticed that the ID will not be set when I return to a previous page from a link I made in the breadcrumb. I wonder what is going on. I would say about 1 out of 6 times it will happen.
    You need to do some debugging. Use var_dump() on your variables to make sure they have the value you think they should, at the places in your script that they should. Theres probably a certain condition that you didn't anticipate.

    Quote Originally Posted by lespaulsf View Post
    2) When you all are setting a $_GET as a variable do you sanitize it someone before you use it for SELECT query.

    I have been checking for the $_GET like this:

    PHP Code:
    if(isset($_GET['albumID'])){
      
    $albumID $_GET['album'];

    Should I be doing it a different way?
    You need to read up on sql injection.
    If the data is to be used as a string in the sql query, you absolutely must escape it. If using mysql, use mysql_real_escape_string(). If it is a integer, you can validate via ctype_digit()/is_numeric(), or you can cast it to an integer via intval(). You must familiarize yourself with this immediately.

    Quote Originally Posted by lespaulsf View Post
    Also is there a limit of the amount of query string pieces I should put in URL?
    Depends on the web server and the device requesting the urls(the browser, for example). 4096 characters for a url is a commonly thrown around limit, although thats pretty darn long. I would try to stay much less than that. It wouldn't suprise me if mobile devices like cell phones etc... don't like long urls.

  4. #4
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by crmalibu View Post
    You need to read up on sql injection.
    If the data is to be used as a string in the sql query, you absolutely must escape it. If using mysql, use mysql_real_escape_string(). If it is a integer, you can validate via ctype_digit()/is_numeric(), or you can cast it to an integer via intval(). You must familiarize yourself with this immediately.
    This could be done at the query level though - I certainly escape my data in the query itself, rather than when I first get all the variables from POST/GET.

  5. #5
    SitePoint Addict lespaulsf's Avatar
    Join Date
    Dec 2006
    Posts
    232
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Brad080283 View Post
    It looks like your checking to see if albumID is set then your trying to get album. Maybe this is why it doesn't work on some pages?
    Hmmm that doesn't make since. This how you check to make sure a variable is set correct? It just says if it's set then assign it to the $albumID variable.

  6. #6
    SitePoint Addict lespaulsf's Avatar
    Join Date
    Dec 2006
    Posts
    232
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by crmalibu View Post
    You need to do some debugging. Use var_dump() on your variables to make sure they have the value you think they should, at the places in your script that they should. Theres probably a certain condition that you didn't anticipate.
    I will look into var_dump(). I usally just echo out the variable to see what's inside of it when debugging. What the difference in using the var_dump()?
    Quote Originally Posted by crmalibu View Post
    You need to read up on sql injection.
    If the data is to be used as a string in the sql query, you absolutely must escape it. If using mysql, use mysql_real_escape_string(). If it is a integer, you can validate via ctype_digit()/is_numeric(), or you can cast it to an integer via intval(). You must familiarize yourself with this immediately.
    I know about sql injection. I will use the functions you described. I actually already have a function i used to clean my data I just forgot about it.

    The reason I asked about the query string amount was because I thought that PHP might get confused or overloaded with parsing through all of the $_GET strings.
    Last edited by lespaulsf; Dec 16, 2008 at 11:45. Reason: additional info

  7. #7
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    var_dump will echo onto your page something like

    $v = 1;

    var_dump ($v) ;

    $v (int) 1

    whereas:

    $v ="1";

    var_dump ($v) ;

    $v (STRING) length 1 "1"

    So you then know what PHP is interpreting the value as, 'cause to you, a mere human, they look the same, 1.

    var_dump
    Last edited by Cups; Dec 16, 2008 at 14:21. Reason: clarified example

  8. #8
    SitePoint Addict lespaulsf's Avatar
    Join Date
    Dec 2006
    Posts
    232
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cools thanks Cups I will try this out and see if it helps. Do you think this will help me find what every once in a while the ID is not set in the bread crumb URL.

  9. #9
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    When getting the basic logic working I recommend you do a couple of things.

    1 display all errors
    2 var_dump any variables you are passing round
    3 if you are building sql statements, then build them into a string, and echo it onto your screen as you work

    PHP Code:
    <?php
    // first lines
    ini_set'display_errors',  );
    error_reportingE_ALL );


    // after you are expecting a form to be handled
    var_dump$POST ); // or GET, COOKIE or whatever


    // building a query, which could go horribly wrong anywhere
    $guy "guy";

    $sql "select stuff from marriage where husband = '$guy' and wife = 'madonna'";

    // take a look at it, paste it into phpmyadmin or whatever
    echo $sql 
    ?>
    comment out each line when it gets on your **ts.

    and REMOVE the top lines when you publish it, or change it to log errors instead.

    Some ppl have a Debug flag which you can link to a local file too, and it can be used to echo this kind of info onto the screen.

    PHP Code:
    $DBG =0;
    if( 
    file_exists"/local.flag") ) $DBG 1;

    // Then do error reporting etc
    // or things like this
    if( $DBG ) echo $sql 
    Something similar to that anyway, so yes, var_dump() is your friend, and if you use arrays its your best friend.

    Some of the reasons why can be found in this chart. What is true in PHP? Before you do any conditional forks, make sure you know what you are checking against.

    This fact, using arrays to their full potential and properly addressing security are probably the 3 most important lessons to learn.

  10. #10
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    319
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hm I disagree.

  11. #11
    SitePoint Addict wibble wobble's Avatar
    Join Date
    Dec 2008
    Posts
    242
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by azz0r_wugg View Post
    Hm I disagree.
    Care to post anything worth reading?

    Quote Originally Posted by Cups View Post
    Code:
    $sql = "select stuff from marriage where husband = '$guy' and wife = 'madonna'";
    Shouldn't that be:

    Code:
    DELETE FROM marriage WHERE husband = 'guy' AND wife = 'madonna'
    UPDATE bank_account SET balance = balance + 70000000 WHERE name = 'guy'
    UPDATE bank_account SET balance = balance - 70000000 WHERE name = 'madonna'
    ?

    In my opinion, Cups advice is great. Always be echoing or dumping values and statements if developing using direct queries, and have error reporting on full.

    If you want something more advanced but much more powerful, check out Propel (or similar): http://propel.phpdb.org/trac/
    Find freelance jobs from all the major sites in one place:
    on twitter / on the web / twitter rss feed

  12. #12
    SitePoint Addict lespaulsf's Avatar
    Join Date
    Dec 2006
    Posts
    232
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    THanks alot guys I appreciate it. I will start using var_dump, hopefully it will show me what the issue could be with the url query string. Thanks for the examples CUPS and link wibble wobble.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •