Trying to make a simple book catalog

Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.php script.

On Feb 21, 10:20 am, fishmonger1...@gmail.com wrote:

Hi!
I'm a librarian with a little PHP knowledge.. I'm trying to make a
catalog from scratch for my library. I don't like the look of the
current catalog so I'm trying to make a custom PHP/MySQL
implementation.

I can do everything I need to do except, I don't completely understand
a detail. Ideally I could write this:

<a href="catalogrecord.php?recordnum=4">Tom Sawyer</a>

The idea would be to pass the number 4 to the catalogrecord.php page
when the hyperlink is clicked. Then it would know which number in the
catalog it should pull up and display on the next page. Is this
possible? And if so, how could I access the recordnum=4 on the next
php file?

Will

On Wed, 21 Feb 2007 02:20:49 +0100, <fi************@gmail.comwrote:

Hi!
I'm a librarian with a little PHP knowledge.. I'm trying to make a
catalog from scratch for my library. I don't like the look of the
current catalog so I'm trying to make a custom PHP/MySQL
implementation.

I can do everything I need to do except, I don't completely understand
a detail. Ideally I could write this:

<a href="catalogrecord.php?recordnum=4">Tom Sawyer</a>

The idea would be to pass the number 4 to the catalogrecord.php page
when the hyperlink is clicked. Then it would know which number in the
catalog it should pull up and display on the next page. Is this
possible? And if so, how could I access the recordnum=4 on the next
php file?

The question is a bit vague, but to get you started:

You say MySQL, so I assume that number 4 is an index in the database where
the records are stored? A list of links could be made by:

<?php
mysql_connect('hostname','username','password');//of you mysql db
mysql_select_db('catalogue');
$books = mysql_query('SELECT `id`, `name` FROM `book`');
while($book = mysql_fetch_assoc($books)){
print '<a
href="catalogrecord.php?recordnum='.$book['id'].'">'.$book['name'].'</a><br>';
}
?>

And the receiving script would do something like this:

<?php
$book_id = intval($_GET['recordnum']);
mysql_connect('hostname','username','password');//of you mysql db
mysql_select_db('catalogue');
$bookresult = mysql_query('SELECT * FROM `book` WHERE `id` = '.$book_id);
if(mysql_num_rows($bookresult) 0){
$book = mysql_fetch_assoc($bookresult);
foreach($book as $key =$value){
print $key.':'.$value.'<br>';
}
} else {
echo 'Book not found in database.';
}
?>

--
Rik Wasmus

"Klarth" <ka*****@gmail.comwrites:

Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.php script.

Could someone explain to a noob the use of _get here and why not _post?

Richard wrote:

"Klarth" <ka*****@gmail.comwrites:

>Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.php script.

Could someone explain to a noob the use of _get here and why not _post?

Because he's passing it as part of the URL, so it's a GET request. A
POST request would come from a form with method=post.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Richard wrote:

"Klarth" <ka*****@gmail.comwrites:

>Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.php script.

Could someone explain to a noob the use of _get here and why not _post?

Oops - pressed send too quickly.

When the POST method is used, the parameters are not passed in the link
as part of the query string; rather they are passed by the browser out
of sight of the user.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

On Wed, 21 Feb 2007 03:59:56 +0100, Jerry Stuckle
<js*******@attglobal.netwrote:

Richard wrote:

>"Klarth" <ka*****@gmail.comwrites:

>>Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.php script.

Could someone explain to a noob the use of _get here and why not _post?

Oops - pressed send too quickly.

When the POST method is used, the parameters are not passed in the link
as part of the query string; rather they are passed by the browser out
of sight of the user.

Which on an 'open' site (this particular project seems to be local) would
have the advantage of being both bookmarkable (hmmmz, something doesn't
feel right about that word) and indexable by a search-engine.

--
Rik Wasmus

Rik wrote:

On Wed, 21 Feb 2007 03:59:56 +0100, Jerry Stuckle
<js*******@attglobal.netwrote:

>Richard wrote:

>>"Klarth" <ka*****@gmail.comwrites:

Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.php script.
Could someone explain to a noob the use of _get here and why not _post?

Oops - pressed send too quickly.

When the POST method is used, the parameters are not passed in the
link as part of the query string; rather they are passed by the
browser out of sight of the user.

Which on an 'open' site (this particular project seems to be local)
would have the advantage of being both bookmarkable (hmmmz, something
doesn't feel right about that word) and indexable by a search-engine.

--Rik Wasmus

Groan, Rik - was that on purpose? :-)

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

>
And the receiving script would do something like this:

<?php
$book_id = intval($_GET['recordnum']);
mysql_connect('hostname','username','password') ;//of you mysql db
mysql_select_db('catalogue');
$bookresult = mysql_query('SELECT * FROM `book` WHERE `id` =
'.$book_id);
if(mysql_num_rows($bookresult) 0){
$book = mysql_fetch_assoc($bookresult);
foreach($book as $key =$value){
print $key.':'.$value.'<br>';
}
} else {
echo 'Book not found in database.';
}
?>

Ask why
$book_id = intval($_GET['recordnum']);
is used early on in the script and is it there just to 'keep things
tidy'? What naughty things could happen if it was just
$book_id = $_GET['recordnum'];

Supplementary question: What would you do here if you were getting a
string instead of a number to use in your SQL?

Another supplementary question: Why would it be a _bad_ idea to 'be
helpful' with the 'not found' message by echoing back the input as
follows:
$recno = GET['recordnum'];
print("Sorry we could not find your request for $recno");
--
PETER FOX Not the same since the submarine business went under
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

Peter Fox <pe******@eminent.demon.co.uk.not.this.bit.no.html wrote:

>And the receiving script would do something like this:

<?php
$book_id = intval($_GET['recordnum']);

>$bookresult = mysql_query('SELECT * FROM `book` WHERE `id` =
'.$book_id);
if(mysql_num_rows($bookresult) 0){
$book = mysql_fetch_assoc($bookresult);

//

> }
} else {
echo 'Book not found in database.';
}
?>

Ask why
$book_id = intval($_GET['recordnum']);
is used early on in the script and is it there just to 'keep things
tidy'? What naughty things could happen if it was just
$book_id = $_GET['recordnum'];

Google SQL injection.

Supplementary question: What would you do here if you were getting a
string instead of a number to use in your SQL?

If possible prepared statements, else mysql_real_escape_string();

Another supplementary question: Why would it be a _bad_ idea to 'be
helpful' with the 'not found' message by echoing back the input as
follows:
$recno = GET['recordnum'];
print("Sorry we could not find your request for $recno");

Because it could containt evil code. I think you know the answers to these
already :P. It's far beyond the scope of the question to go in great
detail about security and database handling, as it was local, I was only
offering a starting point.
--
Rik Wasmus

Hmmmz, it was indeed very late, because this was still in the outbox this
morning:

Jerry Stuckle <js*******@attglobal.netwrote:

Rik wrote:

>>When the POST method is used, the parameters are not passed in the
link as part of the query string; rather they are passed by the
browser out of sight of the user.

Which on an 'open' site (this particular project seems to be local)
would have the advantage of being both bookmarkable (hmmmz, something
doesn't feel right about that word) and indexable by a search-engine.

Groan, Rik - was that on purpose? :-)

Hmmmz, it's very, very late. I'd swear I was typing something about GET
before it.... Offcourse the advantages I mentioned are of a GET request :P.

Off to bed now, before I squander my credibility any further...
--
Rik Wasmus

Following on from Rik's message. . .

>
Because it could containt evil code. I think you know the answers to these
already :P. It's far beyond the scope of the question to go in great
detail about security and database handling, as it was local, I was only
offering a starting point.

Sorry Rik I didn't mean to question your code, in fact the very opposite
- A very good starting point it is too. An excellent and concise
starting point for three important questions everyone should know the
answers to.

--
PETER FOX Not the same since the submarine business went under
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>