Get function with characters

Hi,

I was told that to use the get function when using characters rather than numbers you need extra ’ and " to use the get function. Like this:

$prod_info = mysql_fetch_array(mysql_query("SELECT * FROM products WHERE productid = '".$_GET['product']."'"));

I am now editing this code and I have a problem. How should I edit the code to work - it used to work with numbers. Now I am using characters it does not work:

switch($_GET["action"])
{
case "add_item":
{
AddItem($_GET["product"], $_GET["quantity"]);
ShowCart();
break;
}
case "update_item":
{
UpdateItem($_GET["product"], $_GET["quantity"]);
ShowCart();
break;
}
case "remove_item":
{
RemoveItem($_GET["product"]);
ShowCart();
break;
}
default:
{
ShowCart();
}
}

but there is an error in the code below on line 4. I think line 3 might be the reason line 4 is having a problem. But as I suggest above the get function is not correct now. How should the get function be written now that it includes characters?

function AddItem($productid, $quantity){

//The main part of the AddItem function checks whether or not this item already exists in the users cart. If it does, then //its quantity field is updated and it isn't added again:

$query = mysql_query("SELECT COUNT(*) FROM cart where cookieid = '" . GetCartId() . "' and product = $productid");
$num = mysql_fetch_row($query);
$quant = $num[0];
if($quant == 0)
{
// This item doesn't exist in the users cart,
// we will add it with an insert query

@mysql_query("insert into cart(cookieid, product, quantity) values('" . GetCartId() . "', $product, $quantity)");
}
else
{
@mysql_query("update cart set quantity = quantity + '$quantity' where product = $productid");
// This item already exists in the users cart,
// we will update it instead
//Looking at the code above, we can see that if $numRows equals zero (i.e. the item isn't already in the users cart) then //the item is added to the cart table. If not, the items quantity field is updated by calling the UpdateItem function, 
//which is described below.

//UpdateItem accepts two parameters, in the same way that the AddItem function does:
}
}

by ‘get function’ i’m… taking it you mean a SELECT query.

The Rules of (My)SQL quotations:
Database,Table, and Field names that collide with a Reserved Word must be backticked (`).
String values must be encapsulated in quotation marks. (’ or ").
Numerical values do not.

The question really is what is the structure of the cart table? if cookieid is an INT field, trying to put a string in will cause the query to fail.

Well, I inserted 3 bits of code. The first is a select query, which is working fine with this bit of code:

'".$_GET['product']."'

my problem is with the other 2 bits of code. In particular the second bit of code above which includes:

case "add_item":
{
AddItem($_GET["product"], $_GET["quantity"]);
ShowCart();
break;
}

If I change the $_GET[“product”] to ‘“.$_GET[‘product’].”’ it says there is an error! So, because this is not a select query it seems to need to be coded differently?!

So you know: the first bit of code in the first post is use on a product page. And the following 2 bits of code are used for the cart/basket page (on the same page - the 3rd bit of code uses the switch case in the second bit of code - these need editing to account for characters rather than numbers).

Any ideas?

Matt

if($quant == 0)

That, as a conditional test is incredibly weak.

$quant could be a variety of things in order to pass that test.

You have also supressed mysql_* errors by prefixing those functions with an @, which is not going to help you get to the bottom of this.

The initial problem I have is using the get function with characters in the URL. With numbers it works fine. But I am using characters - ie. I am using product names in the URL rather than 1,2,3,4,5,etc. - for SEO purposes.

Matt.