#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    56
    Rep Power
    2

    Can't open a details page based


    Hi,

    My application fetches data from the mysql database and prints it in php just fine.

    However, I cant figure out why am failing to open a details page with the following link:

    Code:
    <td width=70><a href=details.php?c_id=$c_id><?php echo $row['ctitle']; ?></a></td>
    My basic details page: details.php

    PHP Code:
    <html>

    <?php
    //open database
    include 'db_connect.php';

    // get value of object id that sent from address bar
    $c_id=$_GET['c_id'];

    // Retrieve data from database
    $sql="SELECT * FROM $tbl_name WHERE c_id='$c_id'";
    $result=mysql_query($sql);

    $rows=mysql_fetch_array($result);
    ?>

    <table border="0" cellspacing="0" cellpadding="3" align="left">
        <tr>
            <td width="20"></td>
            <td width="150">ID</td><td>:</td><td> <font color=#eecdef><? echo $rows['c_id']; ?></font></td>
        </tr>
        <tr>
            <td width="20"></td>
            <td width="150">OBJECT TITLE</td><td>:</td><td><font color="blue"><? echo $rows['ctitle']; ?></font></td>
        </tr>

    </table>

    </html>
    I will appreciate your help.

    joseph
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    you seriously need to work on the security of your code. You just dump user input everywhere, allowing any visitor to inject any SQL or JavaScript code.

    I've already given you those links twice, so it would be great if you'd actually read them:

    Do not insert raw values into query strings.
    Do not output raw values or insert them into the HTML page.

    If you don't think security is important, you might as well call it "correctness". Using unfiltered variables in queries or HTML markup is technically wrong.



    Originally Posted by josephbupe
    However, I cant figure out why am failing to open a details page with the following link:

    Code:
    <td width=70><a href=details.php?c_id=$c_id><?php echo $row['ctitle']; ?></a></td>
    A "$c_id" within HTML is just a "$c_id". It must be within PHP tags to be interpreted. But please don't just output the variable, escape it properly or cast it to an integer:
    PHP Code:
    echo urlencode($c_id); 
    And please get rid of this "SELECT *". This is very bad style, because it's inefficient, error-prone and potentially dangerous (you might "accidentally" fetch critical data). Select specific columns.
    Last edited by Jacques1; February 11th, 2013 at 06:01 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,398
    Rep Power
    594
    Probably because '$_GET['c_id']' does not contain what you expect. The way you generate your link is wrong. Since '$c_id' is outside your <?php tags nothing will get substituted. Try this:
    PHP Code:
    <?php
    echo "<td width=\"70\"><a href=\"details.php?c_id=$c_id\">".$row['ctitle']."</a></td>";
    ?>
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    This is a duplicate thread.

    [EDIT]Moderator: Threads Merged.[/EDIT]
    Last edited by Kravvitz; February 11th, 2013 at 08:07 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    56
    Rep Power
    2
    Thanx. I am now re-writing my code into mysqli, with numerous questions coming after.

    Stay well.

    Joseph
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    56
    Rep Power
    2
    Hi,

    I have now a prepared statement in my details.php as follows:

    PHP Code:
    <?php
    $mysqli 
    = new mysqli("localhost""joseph"" ""collectionsdb");

    /* check connection */
    if (mysqli_connect_errno()) {
        
    printf("Connect failed: %s\n"mysqli_connect_error());
        exit();
    }

    // get value of object id that was sent from address bar
    //$c_id = mysql_real_escape_string(c_id);

        /* Create the prepared statement */
        
    if ($stmt $mysqli->prepare("SELECT c_id,ctitle,csubject,creference,cyear,cobjecttype,cmaterial,ctechnic,cwidth,cheight,cperiod,cmarkings,cdescription,csource,cartist,cfilename FROM collections WHERE c_id=$c_id")) {    
        
    /* Execute the prepared Statement */
        
    $stmt->execute();

        
    /* Bind results to variables */
        
    $stmt->bind_result($c_id,$ctitle,$csubject,$creference,$cyear,$cobjecttype,$cmaterial,$ctechnic,$cwidth,$cheight,$cperiod,$cmarkings,$cdescription,$csource,$cartist,$cfilename);

        
    /* fetch values */
        
    while ($rows $stmt->fetch()) {
         
    // display records in a table

        // and the table of results  
    ?>
    I want to open a details.php page for the variable $c_id passed from the main page. Unfortunately, when the link is pressed the details page returns all the records. Here is the link:

    PHP Code:
    <td><a href=details.php?c_id=<?php echo $c_id ?> ><img src="./images/<?php echo $row['cfilename']; ?>" width="90" height="120" alt="" /></a></td>
    and also:

    PHP Code:
    <tr><?php echo "<td width=\"70\"><a href=\"details.php?c_id=$c_id\">".$row['ctitle']."</a></td>";?></tr>
    Thank you in advance.

    Joseph
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Do not output $c_id directly. I already told you in #3 and gave you the correct code.

    Your code also doesn't really look like it's finished. There's no definition for $c_id, and you somehow couldn't decide about escaping this variable.

    One last time before I give up: Read the links from post #3! It's all explained there (I use PDO instead of MySQLi, but the concept is the same).
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    56
    Rep Power
    2
    Originally Posted by Jacques1
    Do not output $c_id directly. I already told you in #3 and gave you the correct code.

    Your code also doesn't really look like it's finished. There's no definition for $c_id, and you somehow couldn't decide about escaping this variable.

    One last time before I give up: Read the links from post #3! It's all explained there (I use PDO instead of MySQLi, but the concept is the same).
    Thanx for your pertinent advise without which I would not have attempted even to learn basic coding with mysqli and php.

    Ok, now I have defined the variable $c_id as follows:

    PHP Code:
    $c_id $_GET['c_id']; 
    And the link now looks like this:

    PHP Code:
    <td><a href=details.php?c_id=<?php echo ".urlencode($c_id)." ?> ><img src="./images/<?php echo $row['cfilename']; ?>" width="90" height="120" alt="" /></a></td>
    The problem I have now is that upon clicking the link, the details page opens blank. Apparently, the $c_id variable is not being passed since the address in the address bar appears without the value of the variable in question like so:
    PHP Code:
    details.php?c_id
    What should I do next?

    Joseph
  16. #9
  17. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Actually, you should see something like
    Code:
    details.php?c_id=.urlencode(...).
    in the address bar, because you output a string with the word "urlencode" rather than the return value of that function:
    PHP Code:
    <?php 

    function html_escape($raw_input) { 
        return 
    htmlspecialchars($raw_inputENT_QUOTES ENT_HTML401'UTF-8'); 
    }  

    // test value for $c_id
    $c_id 123;

    ?>
    <td><a href="details.php?c_id=<?php echo urlencode($c_id?>"><img src="./images/<?php echo html_escape($row['cfilename']) ?>" width="90" height="120" alt="" /></a></td>
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    56
    Rep Power
    2
    I pasted the function and the link as provided in your recent post. But still no luck. The details.php is still returned blank. Maybe the condition in my prepared statement isn't correct. I am not sure. Just trying to learn this mysqli.

    I even did some tests with different c_id numbers available for the records in my database, e.g 1, 12, 13 etc. Of course they were being printed like details.php?c_id=12.

    BTW, escaping the filename the way you put it:
    PHP Code:
     <?php echo html_escape($row['cfilename'])  ?>
    failed to print the image.

    I still need more help desperately.

    Joseph
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    56
    Rep Power
    2
    Thanx alot good people.

    I have resolved this problem.

    Stay well.

    Joseph
  22. #12
  23. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    And what did you do?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo