Pass Simple value..

Printable View

Jul 12th, 2007, 01:49 PM
joefox

Pass Simple value..

If i wanted to go to www.someplace.com/index.php?groupid=1

How would i get the value of 1 and use it in my query?
Jul 12th, 2007, 02:10 PM
asterix299

Re: Pass Simple value..

Use GET instead of POST.

PHP Code:

$groupid = $_GET['groupid'];
Jul 12th, 2007, 02:26 PM
joefox

Re: Pass Simple value..

What i wanted to do is take that value, then run another DB query on a different table, and then post its data.

How would i do that?

Sorry for all the questions...
Jul 12th, 2007, 02:38 PM
joefox

Re: Pass Simple value..

i tried that and it didnt work
here is my url: http://dfsdfsdsf.com/index.php?groupid=3

PHP Code:

<?php $groupid = $_GET['groupid']; require_once ('connect.php'); require_once ('opendb.php'); $query = "SELECT * FROM metrogroups WHERE groupid='$groupid'"; $result = @mysql_query ($query); echo $row['groupname']; ?>
Jul 12th, 2007, 03:28 PM
NPassero

Re: Pass Simple value..
you could try formatting the way you define the string differently...
ex:
PHP Code:
```
$query = "SELECT * FROM `metrogroups` WHERE `groupid` = '" . $groupid . "'";
```
and try removing the @ before mysql_query($query);
Jul 12th, 2007, 04:00 PM
joefox

Re: Pass Simple value..

My problem is, i am having people go to www.mysite.com/index.php?groupid=2

I wanted to get the groupid, and then instered it into the groupid that is being searched.
Jul 12th, 2007, 09:42 PM
penagate

Re: Pass Simple value..

You should never insert GET or POST parameters, or anything that isn't hardcoded, directly into a SQL query. This causes a SQL injection vulnerability and is the number one cause of security exploits in websites.

If you know that the group ID must be a number then you should cast it to one. You should also not use single quotes in your query, as that denotes a string rather than a number.

PHP Code:

$groupid = (int) $_GET['groupid']; $query = "SELECT * FROM metrogroups WHERE groupid=$groupid";

If it is a textual value then you should pass it through mysql_real_escape_string:

PHP Code:

$somevar = mysql_real_escape_string($_GET['somevar']); $query = 'SELECT * FROM mytable WHERE somevar='$somevar'";

Finally, if your site is non-trivial in complexity, you should use a proper data access library, such as PDO (PHP 5), MDB2 (PHP 4), or mysqli (PHP 4-5, MySQL only), which support parameterised prepared statements. These are superior to string concatenation and avoid the risk of SQL injection altogether.