Trying to make a simple book catalog

Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.p hp script.

On Feb 21, 10:20 am, fishmonger1...@ gmail.com wrote:

Hi!
I'm a librarian with a little PHP knowledge.. I'm trying to make a
catalog from scratch for my library. I don't like the look of the
current catalog so I'm trying to make a custom PHP/MySQL
implementation.

I can do everything I need to do except, I don't completely understand
a detail. Ideally I could write this:

<a href="catalogre cord.php?record num=4">Tom Sawyer</a>

The idea would be to pass the number 4 to the catalogrecord.p hp page
when the hyperlink is clicked. Then it would know which number in the
catalog it should pull up and display on the next page. Is this
possible? And if so, how could I access the recordnum=4 on the next
php file?

Will

On Wed, 21 Feb 2007 02:20:49 +0100, <fi************ @gmail.comwrote :

Hi!
I'm a librarian with a little PHP knowledge.. I'm trying to make a
catalog from scratch for my library. I don't like the look of the
current catalog so I'm trying to make a custom PHP/MySQL
implementation.

I can do everything I need to do except, I don't completely understand
a detail. Ideally I could write this:

<a href="catalogre cord.php?record num=4">Tom Sawyer</a>

The idea would be to pass the number 4 to the catalogrecord.p hp page
when the hyperlink is clicked. Then it would know which number in the
catalog it should pull up and display on the next page. Is this
possible? And if so, how could I access the recordnum=4 on the next
php file?

The question is a bit vague, but to get you started:

You say MySQL, so I assume that number 4 is an index in the database where
the records are stored? A list of links could be made by:

<?php
mysql_connect(' hostname','user name','password ');//of you mysql db
mysql_select_db ('catalogue');
$books = mysql_query('SE LECT `id`, `name` FROM `book`');
while($book = mysql_fetch_ass oc($books)){
print '<a
href="catalogre cord.php?record num='.$book['id'].'">'.$book['name'].'</a><br>';
}
?>

And the receiving script would do something like this:

<?php
$book_id = intval($_GET['recordnum']);
mysql_connect(' hostname','user name','password ');//of you mysql db
mysql_select_db ('catalogue');
$bookresult = mysql_query('SE LECT * FROM `book` WHERE `id` = '.$book_id);
if(mysql_num_ro ws($bookresult) 0){
$book = mysql_fetch_ass oc($bookresult) ;
foreach($book as $key =$value){
print $key.':'.$value .'<br>';
}
} else {
echo 'Book not found in database.';
}
?>

--
Rik Wasmus

"Klarth" <ka*****@gmail. comwrites:

Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.p hp script.

Could someone explain to a noob the use of _get here and why not _post?

Richard wrote:

"Klarth" <ka*****@gmail. comwrites:

>Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord. php script.

Could someone explain to a noob the use of _get here and why not _post?

Because he's passing it as part of the URL, so it's a GET request. A
POST request would come from a form with method=post.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Richard wrote:

"Klarth" <ka*****@gmail. comwrites:

>Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord. php script.

Could someone explain to a noob the use of _get here and why not _post?

Oops - pressed send too quickly.

When the POST method is used, the parameters are not passed in the link
as part of the query string; rather they are passed by the browser out
of sight of the user.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

On Wed, 21 Feb 2007 03:59:56 +0100, Jerry Stuckle
<js*******@attg lobal.netwrote:

Richard wrote:

>"Klarth" <ka*****@gmail. comwrites:

>>Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord .php script.

Could someone explain to a noob the use of _get here and why not _post?

Oops - pressed send too quickly.

When the POST method is used, the parameters are not passed in the link
as part of the query string; rather they are passed by the browser out
of sight of the user.

Which on an 'open' site (this particular project seems to be local) would
have the advantage of being both bookmarkable (hmmmz, something doesn't
feel right about that word) and indexable by a search-engine.

--
Rik Wasmus

Rik wrote:

On Wed, 21 Feb 2007 03:59:56 +0100, Jerry Stuckle
<js*******@attg lobal.netwrote:

>Richard wrote:

>>"Klarth" <ka*****@gmail. comwrites:

Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecor d.php script.
Could someone explain to a noob the use of _get here and why not _post?

Oops - pressed send too quickly.

When the POST method is used, the parameters are not passed in the
link as part of the query string; rather they are passed by the
browser out of sight of the user.

Which on an 'open' site (this particular project seems to be local)
would have the advantage of being both bookmarkable (hmmmz, something
doesn't feel right about that word) and indexable by a search-engine.

--Rik Wasmus

Groan, Rik - was that on purpose? :-)

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

>
And the receiving script would do something like this:

<?php
$book_id = intval($_GET['recordnum']);
mysql_connect( 'hostname','use rname','passwor d');//of you mysql db
mysql_select_d b('catalogue');
$bookresult = mysql_query('SE LECT * FROM `book` WHERE `id` =
'.$book_id);
if(mysql_num_r ows($bookresult ) 0){
$book = mysql_fetch_ass oc($bookresult) ;
foreach($book as $key =$value){
print $key.':'.$value .'<br>';
}
} else {
echo 'Book not found in database.';
}
?>

Ask why
$book_id = intval($_GET['recordnum']);
is used early on in the script and is it there just to 'keep things
tidy'? What naughty things could happen if it was just
$book_id = $_GET['recordnum'];

Supplementary question: What would you do here if you were getting a
string instead of a number to use in your SQL?

Another supplementary question: Why would it be a _bad_ idea to 'be
helpful' with the 'not found' message by echoing back the input as
follows:
$recno = GET['recordnum'];
print("Sorry we could not find your request for $recno");
--
PETER FOX Not the same since the submarine business went under
pe******@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>

Peter Fox <pe******@emine nt.demon.co.uk. not.this.bit.no .htmlwrote:

>And the receiving script would do something like this:

<?php
$book_id = intval($_GET['recordnum']);

>$bookresult = mysql_query('SE LECT * FROM `book` WHERE `id` =
'.$book_id);
if(mysql_num_r ows($bookresult ) 0){
$book = mysql_fetch_ass oc($bookresult) ;

//

> }
} else {
echo 'Book not found in database.';
}
?>

Ask why
$book_id = intval($_GET['recordnum']);
is used early on in the script and is it there just to 'keep things
tidy'? What naughty things could happen if it was just
$book_id = $_GET['recordnum'];

Google SQL injection.

Supplementary question: What would you do here if you were getting a
string instead of a number to use in your SQL?

If possible prepared statements, else mysql_real_esca pe_string();

Another supplementary question: Why would it be a _bad_ idea to 'be
helpful' with the 'not found' message by echoing back the input as
follows:
$recno = GET['recordnum'];
print("Sorry we could not find your request for $recno");

Because it could containt evil code. I think you know the answers to these
already :P. It's far beyond the scope of the question to go in great
detail about security and database handling, as it was local, I was only
offering a starting point.
--
Rik Wasmus