The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.
|
 |
|
Dev Shed Forums
> Programming Languages
> PHP Development
|
PHP-General - Can't open a details page based
Discuss Can't open a details page based in the PHP Development forum on Dev Shed.
Can't open a details page based PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
|
|
 |
|
|
|
|
Dev Shed Forums Sponsor:
|
|
|
February 11th, 2013, 05:40 AM
|
|
Contributing User
|
|
Join Date: Nov 2012
Posts: 56
Time spent in forums: 13 h 10 m 2 sec
Reputation Power: 1
|
|
|
PHP-General - Can't open a details page based
Hi,
My application fetches data from the mysql database and prints it in php just fine.
However, I cant figure out why am failing to open a details page with the following link:
Code:
<td width=70><a href=details.php?c_id=$c_id><?php echo $row['ctitle']; ?></a></td>
My basic details page: details.php
PHP Code:
<html>
<?php
//open database
include 'db_connect.php';
// get value of object id that sent from address bar
$c_id=$_GET['c_id'];
// Retrieve data from database
$sql="SELECT * FROM $tbl_name WHERE c_id='$c_id'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
?>
<table border="0" cellspacing="0" cellpadding="3" align="left">
<tr>
<td width="20"></td>
<td width="150">ID</td><td>:</td><td> <font color=#eecdef><? echo $rows['c_id']; ?></font></td>
</tr>
<tr>
<td width="20"></td>
<td width="150">OBJECT TITLE</td><td>:</td><td><font color="blue"><? echo $rows['ctitle']; ?></font></td>
</tr>
</table>
</html>
I will appreciate your help.
joseph
|
February 11th, 2013, 05:58 AM
|
 |
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
Hi,
you seriously need to work on the security of your code. You just dump user input everywhere, allowing any visitor to inject any SQL or JavaScript code.
I've already given you those links twice, so it would be great if you'd actually read them:
Do not insert raw values into query strings.
Do not output raw values or insert them into the HTML page.
If you don't think security is important, you might as well call it "correctness". Using unfiltered variables in queries or HTML markup is technically wrong.
Quote: | Originally Posted by josephbupe However, I cant figure out why am failing to open a details page with the following link:
Code:
<td width=70><a href=details.php?c_id=$c_id><?php echo $row['ctitle']; ?></a></td>
|
A "$c_id" within HTML is just a "$c_id". It must be within PHP tags to be interpreted. But please don't just output the variable, escape it properly or cast it to an integer:
And please get rid of this "SELECT *". This is very bad style, because it's inefficient, error-prone and potentially dangerous (you might "accidentally" fetch critical data). Select specific columns.
Last edited by Jacques1 : February 11th, 2013 at 06:01 AM.
|
February 11th, 2013, 07:02 AM
|
|
|
Probably because '$_GET['c_id']' does not contain what you expect. The way you generate your link is wrong. Since '$c_id' is outside your <?php tags nothing will get substituted. Try this:
PHP Code:
<?php
echo "<td width=\"70\"><a href=\"details.php?c_id=$c_id\">".$row['ctitle']."</a></td>";
?>
__________________
There are 10 kinds of people in the world. Those that understand binary and those that don't.
|
February 11th, 2013, 07:04 AM
|
|
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
|
This is a duplicate thread.
[EDIT]Moderator: Threads Merged.[/EDIT]
Last edited by Kravvitz : February 11th, 2013 at 08:07 AM.
|
February 11th, 2013, 09:28 AM
|
|
Contributing User
|
|
Join Date: Nov 2012
Posts: 56
Time spent in forums: 13 h 10 m 2 sec
Reputation Power: 1
|
|
|
Thanx. I am now re-writing my code into mysqli, with numerous questions coming after.
Stay well.
Joseph
|
February 12th, 2013, 05:30 AM
|
|
Contributing User
|
|
Join Date: Nov 2012
Posts: 56
Time spent in forums: 13 h 10 m 2 sec
Reputation Power: 1
|
|
Hi,
I have now a prepared statement in my details.php as follows:
PHP Code:
<?php
$mysqli = new mysqli("localhost", "joseph", " ", "collectionsdb");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
// get value of object id that was sent from address bar
//$c_id = mysql_real_escape_string(c_id);
/* Create the prepared statement */
if ($stmt = $mysqli->prepare("SELECT c_id,ctitle,csubject,creference,cyear,cobjecttype,cmaterial,ctechnic,cwidth,cheight,cperiod,cmarking s,cdescription,csource,cartist,cfilename FROM collections WHERE c_id=$c_id")) {
/* Execute the prepared Statement */
$stmt->execute();
/* Bind results to variables */
$stmt->bind_result($c_id,$ctitle,$csubject,$creference,$cyear,$cobjecttype,$cmaterial,$ctechnic,$cwidth,$ch eight,$cperiod,$cmarkings,$cdescription,$csource,$cartist,$cfilename);
/* fetch values */
while ($rows = $stmt->fetch()) {
// display records in a table
// and the table of results
?>
I want to open a details.php page for the variable $c_id passed from the main page. Unfortunately, when the link is pressed the details page returns all the records. Here is the link:
PHP Code:
<td><a href=details.php?c_id=<?php echo $c_id ?> ><img src="./images/<?php echo $row['cfilename']; ?>" width="90" height="120" alt="" /></a></td>
and also:
PHP Code:
<tr><?php echo "<td width=\"70\"><a href=\"details.php?c_id=$c_id\">".$row['ctitle']."</a></td>";?></tr>
Thank you in advance.
Joseph
|
February 12th, 2013, 06:12 AM
|
|
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
|
Do not output $c_id directly. I already told you in #3 and gave you the correct code.
Your code also doesn't really look like it's finished. There's no definition for $c_id, and you somehow couldn't decide about escaping this variable.
One last time before I give up: Read the links from post #3! It's all explained there (I use PDO instead of MySQLi, but the concept is the same).
|
February 13th, 2013, 11:28 AM
|
|
Contributing User
|
|
Join Date: Nov 2012
Posts: 56
Time spent in forums: 13 h 10 m 2 sec
Reputation Power: 1
|
|
Quote: | Originally Posted by Jacques1 Do not output $c_id directly. I already told you in #3 and gave you the correct code.
Your code also doesn't really look like it's finished. There's no definition for $c_id, and you somehow couldn't decide about escaping this variable.
One last time before I give up: Read the links from post #3! It's all explained there (I use PDO instead of MySQLi, but the concept is the same). |
Thanx for your pertinent advise without which I would not have attempted even to learn basic coding with mysqli and php.
Ok, now I have defined the variable $c_id as follows:
And the link now looks like this:
PHP Code:
<td><a href=details.php?c_id=<?php echo ".urlencode($c_id)." ?> ><img src="./images/<?php echo $row['cfilename']; ?>" width="90" height="120" alt="" /></a></td>
The problem I have now is that upon clicking the link, the details page opens blank. Apparently, the $c_id variable is not being passed since the address in the address bar appears without the value of the variable in question like so:
What should I do next?
Joseph
|
February 13th, 2013, 12:15 PM
|
|
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
Actually, you should see something like
Code:
details.php?c_id=.urlencode(...).
in the address bar, because you output a string with the word "urlencode" rather than the return value of that function:
PHP Code:
<?php
function html_escape($raw_input) {
return htmlspecialchars($raw_input, ENT_QUOTES | ENT_HTML401, 'UTF-8');
}
// test value for $c_id
$c_id = 123;
?>
<td><a href="details.php?c_id=<?php echo urlencode($c_id) ?>"><img src="./images/<?php echo html_escape($row['cfilename']) ?>" width="90" height="120" alt="" /></a></td>
|
February 13th, 2013, 11:32 PM
|
|
Contributing User
|
|
Join Date: Nov 2012
Posts: 56
Time spent in forums: 13 h 10 m 2 sec
Reputation Power: 1
|
|
I pasted the function and the link as provided in your recent post. But still no luck. The details.php is still returned blank. Maybe the condition in my prepared statement isn't correct. I am not sure. Just trying to learn this mysqli.
I even did some tests with different c_id numbers available for the records in my database, e.g 1, 12, 13 etc. Of course they were being printed like details.php?c_id=12.
BTW, escaping the filename the way you put it:
PHP Code:
<?php echo html_escape($row['cfilename']) ?>
failed to print the image.
I still need more help desperately.
Joseph
|
February 14th, 2013, 06:55 AM
|
|
Contributing User
|
|
Join Date: Nov 2012
Posts: 56
Time spent in forums: 13 h 10 m 2 sec
Reputation Power: 1
|
|
|
Thanx alot good people.
I have resolved this problem.
Stay well.
Joseph
|
February 14th, 2013, 07:27 AM
|
|
pollyanna
|
|
Join Date: Jul 2012
Location: Germany
|
|
|
And what did you do?
|
Developer Shed Advertisers and Affiliates
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
Rate This Thread |
 Linear Mode
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
