Hi everyone,
I’ve created a page where I’m retrieving content from a MySQL database using 2 queries. What I would like to do is have the page load content based on the values passed to it along in an url.
If someone knows, then please help me out.
Thank you for your time!
//first query:
$q = "SELECT m.messages, m.name, f.forum FROM messages AS m INNER JOIN forum AS f WHERE m.name = 'simpson' ";
//second query:
$b = "SELECT m.messages, m.name, f.forum FROM messages AS m INNER JOIN forum AS f WHERE f.forum = 'foo' ";
Would the url be something like:
index.php?name=simpson&forum=foo
I’m not competely sure how my queries should be coded on the receiving page:
WHERE m.name = ‘?’ ";
Hey RedBishop,
Yeah, if you pass the data like that, it will be available in PHP via the $_GET global variable.
Whenever you’re working with data that can be passed into your script by a user, you want to make sure you escape it before using it in a DB query. How you do that depends on which DB extension you’re using: are you using MySQLi or PDO?
Hi there fretburner,
always good to hear from you.
I’m using a MySQLi connection at the moment.
Thanks!
You could do something like this:
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING);
if ($name) {
$stmt = $mysqli->prepare("SELECT m.messages, m.name, f.forum FROM messages AS m INNER JOIN forum AS f WHERE m.name = ?");
$stmt->bind_param('s', $name);
$stmt->execute();
}
The filter_input function will return null if $_GET[‘name’] isn’t set, so the IF check would skip the query. Using a prepared statement and bound params ensures that the contents of $name will be escaped before the query is executed, which prevents SQL injection attacks.
Hi fretburner,
thanks a lot for your help. I appreciate you including measures to secure the code.
I’ll try out the code a bit later.
Have a good day!
Hi fretburner,
sorry to be a pain, but I got to ask something again. How do I combine the code you provided with the query code I’m currently using?
As it stands, my query starts with $q = “SELECT m.messages etc…”
and then:
$r = @mysqli_query ($dbc, $q);
$num = mysqli_num_rows($r);
if ($num > 0) {
$row = mysqli_fetch_array($r, MYSQLI_ASSOC); {
Print '<p>hi</p>';
I’ve been fiddling around for some time without success.
If you have a spare moment…
Thanks!!
OK, so looking at your code you’re using mysqli procedural style, so assuming that your DB connection is in $dbc, try this:
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING);
if ($name) {
$name = mysqli_real_escape_string($dbc, $name);
$q = "SELECT m.messages, m.name, f.forum FROM messages AS m INNER JOIN forum AS f WHERE m.name = '$name'";
$r = @mysqli_query($dbc, $q);
$num = mysqli_num_rows($r);
if ($num > 0) {
$row = mysqli_fetch_array($r, MYSQLI_ASSOC);
// Do more stuff here
}
}
I’ve changed the code slightly: rather than use a prepared statement, I’ve manually escaped $name
with the mysqli_real_escape_string function, as it fits in better with your current style of code.
Hey fretburner,
it’s working great now - thank you very much! You’re a big help.
Cheers