Envision, Create, Share

Welcome to HBGames, a leading amateur game development forum and Discord server. All are welcome, and amongst our ranks you will find experts in their field from all aspects of video game design and development.
Register

MySQL Query from $_GET ?

Latest Post

Ulqiorra

Member

676
I'm renovating my website, and I've decided to use MySQL in conjunction with PHP.

The way I'm doing this is storing articles/scripts/etc in tables in my SQL database, and running a query from the file "viewarticle.php", with a $_GET variable called 'id', so basically you put "http://near.zxq.net/viewarticle.php?id=1234" and it takes the variable 'id' and checks it against the data in the Id column of the table.

The code I'm using for the query is:

Code: 
 

$query = 'SELECT * FROM <table> WHERE Id = '+$_GET['id'];

$result = mysql_query($query);

 

and the error I'm getting is in the $query variable.

Apparently it doesn't like for me to use String + String to concatenate them for an SQL query...

Is there a way to do this?
 

Flickayy

Sponsor

479
Well you can try this, im not sure if this will work. but its not going to hurt.

Code: 
$query = 'SELECT * FROM <table> WHERE Id = , '$_GET['id'];

its almost similar to something i was doing to a phpbb3 site.
 

Ulqiorra

Member

676
Nope, still nothing. I tried your way, and tried it again after adding a + between the string and $_GET['id']. Neither worked. Unexpected T_VARIABLE without the +, same error as before with the +.
 
Yeyinde

Yeyinde

Sponsor

1,122
PHP: 
<div class="php" id="{CB}" style="font-family: monospace;"><ol>$query = 'SELECT * FROM <table> WHERE Id =' . $_GET['id'];

. is used for string catting in PHP. Also, this is a very dangerous implementation. Parse your $_GET['id'] before querying it, or you'll be in serious trouble.
 

Ulqiorra

Member

676
sorry yeyinde, i already figured it out :haha:

it was

$id = $_GET['id'];
$query = "SELECT * FROM <table> WHERE Id = {$id}";

and it works just fine now.

EDIT: I have one more question. Can I have it so that after it runs mysql_query, if no matches are found, it re-runs the query with an $id of 0?
 

Flickayy

Sponsor

479
would it be something like this?

PHP: 
<div class="php" id="{CB}" style="font-family: monospace;"><ol> 

$anymatches=[url=http://www.php.net/mysql_num_rows]mysql_num_rows[/url]($query);

[url=http://www.php.net/if]<span style="color: #b1b100;">if[/url] ($anymatches == <span style="color: #cc66cc;">0) 

{

 //code here if ID = 0

}

 

or

PHP: 
<div class="php" id="{CB}" style="font-family: monospace;"><ol> 

[url=http://www.php.net/if]<span style="color: #b1b100;">if[/url] ($id== <span style="color: #cc66cc;">0) 

{

 //code here if ID = 0

}

 
 
Ellie

Ellie

Staff

762,447
I know this is a major necropost but I just noticed this and jesus christ - never use a user-submitted variable in an sql statement (or anywhere for that matter) without sanitizing it!

# $query = 'SELECT * FROM <table> WHERE Id = '+$_GET['id'];


Quick way would be:

if (!is_numeric($_GET['id'])) {
die("Hack attempt!");
}

Otherwise one could easily shove some sql syntax in your get variable and do anything they like with your database.

Or just shove int before the string to convert it, which is probably better, but you get the point.
 
You must log in or register to reply here.

Share this page

Thank you for viewing

HBGames is a leading amateur video game development forum and Discord server open to all ability levels. Feel free to have a nosey around!

Discord

Join our growing and active Discord server to discuss all aspects of game making in a relaxed environment. Join Us

RPG Maker

  • Support & Help
    •
  • Tutorials
    •
  • Plugins - MZ, MV
    •
  • Scripts - Ace, VX, XP
    •
  • Resources
    •

    Content

  • Our Games
    •
  • Games in Development
    •  Emoji by Twemoji.
    Top