$_GET query string question

[lespaulsf]

Hi

I'm in the process of creating a online photo gallery and started to think that maybe I'm over using the $_GET to set the URL query string. I have a few questions.

1) I use bread crumb like navigation so far that lets users know where they are at in the photo gallery. That way if they want to go to a previous gallery they can just click the link and it takes them back. Although every once in a while I have noticed that the ID will not be set when I return to a previous page from a link I made in the breadcrumb. I wonder what is going on. I would say about 1 out of 6 times it will happen.

2) When you all are setting a $_GET as a variable do you sanitize it someone before you use it for SELECT query.

I have been checking for the $_GET like this:

PHP Code:

if(isset($_GET['albumID'])){
  $albumID = $_GET['album'];
} 


Should I be doing it a different way? Also is there a limit of the amount of query string pieces I should put in URL?

Thanks very much for you efforts of explaining.

[Brad080283]

It looks like your checking to see if albumID is set then your trying to get album. Maybe this is why it doesn't work on some pages?

You defiantly want to check it for any strange characters before using it in a query. Not checking it would be a big security risk as it's easy for anyone to edit the string in the url.

[crmalibu]

1) I use bread crumb like navigation so far that lets users know where they are at in the photo gallery. That way if they want to go to a previous gallery they can just click the link and it takes them back. Although every once in a while I have noticed that the ID will not be set when I return to a previous page from a link I made in the breadcrumb. I wonder what is going on. I would say about 1 out of 6 times it will happen.

You need to do some debugging. Use var_dump() on your variables to make sure they have the value you think they should, at the places in your script that they should. Theres probably a certain condition that you didn't anticipate.

2) When you all are setting a $_GET as a variable do you sanitize it someone before you use it for SELECT query.

I have been checking for the $_GET like this:

PHP Code:

if(isset($_GET['albumID'])){
  $albumID = $_GET['album'];
} 


Should I be doing it a different way?

You need to read up on sql injection.
If the data is to be used as a string in the sql query, you absolutely must escape it. If using mysql, use mysql_real_escape_string(). If it is a integer, you can validate via ctype_digit()/is_numeric(), or you can cast it to an integer via intval(). You must familiarize yourself with this immediately.

Also is there a limit of the amount of query string pieces I should put in URL?

Depends on the web server and the device requesting the urls(the browser, for example). 4096 characters for a url is a commonly thrown around limit, although thats pretty darn long. I would try to stay much less than that. It wouldn't suprise me if mobile devices like cell phones etc... don't like long urls.

[Stormrider]

You need to read up on sql injection.
If the data is to be used as a string in the sql query, you absolutely must escape it. If using mysql, use mysql_real_escape_string(). If it is a integer, you can validate via ctype_digit()/is_numeric(), or you can cast it to an integer via intval(). You must familiarize yourself with this immediately.

This could be done at the query level though - I certainly escape my data in the query itself, rather than when I first get all the variables from POST/GET.

[lespaulsf]

It looks like your checking to see if albumID is set then your trying to get album. Maybe this is why it doesn't work on some pages?

Hmmm that doesn't make since. This how you check to make sure a variable is set correct? It just says if it's set then assign it to the $albumID variable.

[lespaulsf]

You need to do some debugging. Use var_dump() on your variables to make sure they have the value you think they should, at the places in your script that they should. Theres probably a certain condition that you didn't anticipate.

I will look into var_dump(). I usally just echo out the variable to see what's inside of it when debugging. What the difference in using the var_dump()?

You need to read up on sql injection.
If the data is to be used as a string in the sql query, you absolutely must escape it. If using mysql, use mysql_real_escape_string(). If it is a integer, you can validate via ctype_digit()/is_numeric(), or you can cast it to an integer via intval(). You must familiarize yourself with this immediately.

I know about sql injection. I will use the functions you described. I actually already have a function i used to clean my data I just forgot about it.

The reason I asked about the query string amount was because I thought that PHP might get confused or overloaded with parsing through all of the $_GET strings.

[Cups]

var_dump will echo onto your page something like

$v = 1;

var_dump ($v) ;

$v (int) 1

whereas:

$v ="1";

var_dump ($v) ;

$v (STRING) length 1 "1"

So you then know what PHP is interpreting the value as, 'cause to you, a mere human, they look the same, 1.

var_dump

[lespaulsf]

Cools thanks Cups I will try this out and see if it helps. Do you think this will help me find what every once in a while the ID is not set in the bread crumb URL.

[Cups]

When getting the basic logic working I recommend you do a couple of things.

1 display all errors
2 var_dump any variables you are passing round
3 if you are building sql statements, then build them into a string, and echo it onto your screen as you work

PHP Code:

<?php
// first lines
ini_set( 'display_errors',  1 );
error_reporting( E_ALL );


// after you are expecting a form to be handled
var_dump( $POST ); // or GET, COOKIE or whatever


// building a query, which could go horribly wrong anywhere
$guy = "guy";

$sql = "select stuff from marriage where husband = '$guy' and wife = 'madonna'";

// take a look at it, paste it into phpmyadmin or whatever
echo $sql ; 
?>

comment out each line when it gets on your **ts.

and REMOVE the top lines when you publish it, or change it to log errors instead.

Some ppl have a Debug flag which you can link to a local file too, and it can be used to echo this kind of info onto the screen.

PHP Code:

$DBG =0;
if( file_exists( "/local.flag") ) $DBG = 1;

// Then do error reporting etc
// or things like this
if( $DBG ) echo $sql ; 


Something similar to that anyway, so yes, var_dump() is your friend, and if you use arrays its your best friend.

Some of the reasons why can be found in this chart. What is true in PHP? Before you do any conditional forks, make sure you know what you are checking against.

This fact, using arrays to their full potential and properly addressing security are probably the 3 most important lessons to learn.

[azz0r_wugg]

Hm I disagree.

[wibble wobble]

Hm I disagree.

Care to post anything worth reading?

Code:

$sql = "select stuff from marriage where husband = '$guy' and wife = 'madonna'";

Shouldn't that be:

Code:

DELETE FROM marriage WHERE husband = 'guy' AND wife = 'madonna'
UPDATE bank_account SET balance = balance + 70000000 WHERE name = 'guy'
UPDATE bank_account SET balance = balance - 70000000 WHERE name = 'madonna'

?

In my opinion, Cups advice is great. Always be echoing or dumping values and statements if developing using direct queries, and have error reporting on full.

If you want something more advanced but much more powerful, check out Propel (or similar): http://propel.phpdb.org/trac/

[lespaulsf]

THanks alot guys I appreciate it. I will start using var_dump, hopefully it will show me what the issue could be with the url query string. Thanks for the examples CUPS and link wibble wobble.