Pass Simple value..

[joefox]

If i wanted to go to www.someplace.com/index.php?groupid=1

How would i get the value of 1 and use it in my query?

[asterix299]

Use GET instead of POST.

PHP Code:

$groupid = $_GET['groupid']; 


[joefox]

What i wanted to do is take that value, then run another DB query on a different table, and then post its data.

How would i do that?

Sorry for all the questions...

[joefox]

i tried that and it didnt work
here is my url: http://dfsdfsdsf.com/index.php?groupid=3

PHP Code:

<?php 
          
          $groupid = $_GET['groupid']; 
            require_once ('connect.php'); 
            require_once ('opendb.php'); 

            $query = "SELECT * FROM metrogroups WHERE groupid='$groupid'"; 
              $result = @mysql_query ($query);
echo $row['groupname'];
           ?>

[NPassero]

you could try formatting the way you define the string differently...
ex:

PHP Code:

$query = "SELECT * FROM `metrogroups` WHERE `groupid` = '" . $groupid . "'";

and try removing the @ before mysql_query($query);

[joefox]

My problem is, i am having people go to www.mysite.com/index.php?groupid=2

I wanted to get the groupid, and then instered it into the groupid that is being searched.

[penagate]

You should never insert GET or POST parameters, or anything that isn't hardcoded, directly into a SQL query. This causes a SQL injection vulnerability and is the number one cause of security exploits in websites.

If you know that the group ID must be a number then you should cast it to one. You should also not use single quotes in your query, as that denotes a string rather than a number.

PHP Code:

$groupid = (int) $_GET['groupid'];
$query = "SELECT * FROM metrogroups WHERE groupid=$groupid"; 


If it is a textual value then you should pass it through mysql_real_escape_string:

PHP Code:

$somevar = mysql_real_escape_string($_GET['somevar']);
$query = 'SELECT * FROM mytable WHERE somevar='$somevar'"; 


Finally, if your site is non-trivial in complexity, you should use a proper data access library, such as PDO (PHP 5), MDB2 (PHP 4), or mysqli (PHP 4-5, MySQL only), which support parameterised prepared statements. These are superior to string concatenation and avoid the risk of SQL injection altogether.