Strange isset($_GET problem

I am trying to do isset($_GET but I have a bizarre problem come up. I am using “id” as one of my fields but when I try to use it in the code it says it is not recognised. However I use this field quite widely.

The code its coming up with is “Undefined variable: id” but I cant see why it has a problem with id.

My code is:

<?php

if(isset($_GET['id'])){

$sql = mysql_query("SELECT * FROM productfeed WHERE id='$id' LIMIT 1");

}
{


while($row = mysql_fetch_array($sql))

$id = $row['id'];
$image = $row['awImage'];
$link = $row['link'];
$description = $row['description'];
$fulldescription = $row['fulldescription'];
$price = $row['price'];


	echo "<div class=\\"productdisplayshell\\"> <div class=\\"productdisplayoutline\\"> <div class=\\"productborder\\"><center>  <a href=\\"$link\\"  target=\\"_blank\\" ><img src=\\"$image\\" /></a> </center> </div></div> <div class=\\"productdescriptionoutline\\"><div class=\\"productdescriptionbox\\">  <a href=\\"$link\\"  target=\\"_blank\\" >$description</a> </div><div class=\\"productfulldescriptionbox\\">  $fulldescription </div></div> <div class=\\"productpriceoutline\\">  <div class=\\"productpricebox\\"><center>&#163; $price</center></div>  <div class=\\"productbuybutton\\"><center><a href=\\"$link\\"  target=\\"_blank\\" ><img src=/images/buybutton.png /></a></center></div></div></div>";

} 


 

?>

You are using $id in the query ambiguously

$sql = mysql_query("SELECT * FROM productfeed WHERE id='$id' LIMIT 1");

you need to assign the $_GET[‘id’] to a regular variable and then use it in the query.

Thanks, how do I assign it a value.

I didn’t know I had to do that.

Same way you do with the other variables you are using AFTER the query.

$id_to_use_in_the_query = $_GET['id'];

$sql = mysql_query("
    SELECT 
        * 
    FROM 
        productfeed 
    WHERE 
        id='". mysql_real_escape_string($id_to_use_in_the_query) ."' 
    LIMIT 1
    ");

There are a couple of other things to note.
If you use an incoming variable that the user may have some control over - you MUST always sanitise it. Thats what the mysql_real_escape_string function does. Read up on the documentation and keep your database safe!

Also, using SELECT * should be avoided. Select only the fields you need and explicitly call them.

<?php



if(isset($_GET['id'])){

$id=$_GET['id'];

$sql = mysql_query("SELECT * FROM productfeed WHERE id='$id' LIMIT 1");



}

{





while($row = mysql_fetch_array($sql))



$id = $row['id'];

$image = $row['awImage'];

$link = $row['link'];

$description = $row['description'];

$fulldescription = $row['fulldescription'];

$price = $row['price'];





    echo "<div class=\\"productdisplayshell\\"> <div class=\\"productdisplayoutline\\"> <div class=\\"productborder\\"><center>  <a href=\\"$link\\"  target=\\"_blank\\" ><img src=\\"$image\\" /></a> </center> </div></div> <div class=\\"productdescriptionoutline\\"><div class=\\"productdescriptionbox\\">  <a href=\\"$link\\"  target=\\"_blank\\" >$description</a> </div><div class=\\"productfulldescriptionbox\\">  $fulldescription </div></div> <div class=\\"productpriceoutline\\">  <div class=\\"productpricebox\\"><center>£ $price</center></div>  <div class=\\"productbuybutton\\"><center><a href=\\"$link\\"  target=\\"_blank\\" ><img src=/images/buybutton.png /></a></center></div></div></div>";



} 

?>

You are using the user input in a query without sanitizing it, creating a big security hole. Spike’s solution does sanitize the user input, and thus is much better (and posted a day earlier too ).

Thanks,

I was using a guide on YouTube which did have a sanitiser but couldn’t get it to work.

In the video it just said that if you dont use a sanitiser it doesn’t deliver a good user experience if something goes wrong. It doesn’t discuss security.

If you dont use a sanitiser what is the security risk?

SQL injection

just thought I’d ask: are you missing the else keyword in the above code?

possibly a transposed, accidental drag and drop from the end of the while($row… ) line?