468,107 Members | 1,340 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,107 developers. It's quick & easy.

Link parameter problem

I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected record.
My problem is that I can't get the record-ID parsed into the link parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_object($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';

In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.
Mar 21 '07 #1
7 1471
On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander...@tele2.se>
wrote:
I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected record.
My problem is that I can't get the record-ID parsed into the link parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_object($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';

In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.
have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinfo.php?id=' . $mid . '">' . $name . '</a></
td>';

Mar 21 '07 #2

"shimmyshack" <ma********@gmail.comskrev i meddelandet
news:11**********************@e65g2000hsc.googlegr oups.com...
On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander...@tele2.se>
wrote:
>I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected
record.
My problem is that I can't get the record-ID parsed into the link
parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_object($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';

In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.

have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinfo.php?id=' . $mid . '">' . $name . '</a></
td>';
EUREKA
I have tested your suggestion now and it work.
Don't know how to thank you.
Now I can keep some of the hair on mu head instead of rubbing it o0f in deep
frustration.
Again thanks for the hint
Mar 21 '07 #3
On 21 Mar, 16:54, "Lennart Anderson" <lennart.ander...@tele2.se>
wrote:
"shimmyshack" <matt.fa...@gmail.comskrev i meddelandetnews:11**********************@e65g2000h sc.googlegroups.com...
On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander...@tele2.se>
wrote:
I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected
record.
My problem is that I can't get the record-ID parsed into the link
parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_object($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';
In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.
have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinfo.php?id=' . $mid . '">' . $name . '</a></
td>';

EUREKA
I have tested your suggestion now and it work.
Don't know how to thank you.
Now I can keep some of the hair on mu head instead of rubbing it o0f in deep
frustration.
Again thanks for the hint
cool, now make sure that you are secure by filtering the data that
comes from your database,
so I would actually do this:

while($row = mysql_fetch_object($result))
{
$mid = urlencode($row->catid);
$name = htmlentities($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=' . $mid . '">' . $name .
'</a></td>';
echo '</tr>';
}
echo '</table>';

unless you use utf-8 as the primary character set in which case use
htmlentities('string',ENT_QUOTES,'UTF-8');

It seems weird doesn't it, protecting your application against
characters from your *own* database, but this is the world we live in.

Mar 21 '07 #4
On 21 Mar, 17:17, "shimmyshack" <matt.fa...@gmail.comwrote:
On 21 Mar, 16:54, "Lennart Anderson" <lennart.ander...@tele2.se>
wrote:
"shimmyshack" <matt.fa...@gmail.comskrev i meddelandetnews:11**********************@e65g2000h sc.googlegroups.com...
On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander...@tele2.se>
wrote:
>I want to present a table with main data. Each revord will have a field
>acting like a link to a new page with detailed data on the selected
>record.
>My problem is that I can't get the record-ID parsed into the link
>parameter.
>Whatever I do will just let my $_GET['id'] give me what is after the
>equal-sign in the link prameter.
>The code is:
>while($row = mysql_fetch_object($result))
> {
> $mid = ($row->catid);
> $name = ($row->catname);
> echo '<tr>';
> echo '<td >' . $mid . '</td>';
> echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name . '</a></td>';
> echo '</tr>';
> }
> echo '</table>';
>In this case the $_GET on advertinfor.php will only give me $mid.
>I think the problem might be in the quotes but I also think I have tested
>every possible combinaion without success.
>Any solution or hint is very much appreciated.
have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinfo.php?id=' . $mid . '">' . $name . '</a></
td>';
EUREKA
I have tested your suggestion now and it work.
Don't know how to thank you.
Now I can keep some of the hair on mu head instead of rubbing it o0f in deep
frustration.
Again thanks for the hint

cool, now make sure that you are secure by filtering the data that
comes from your database,
so I would actually do this:

while($row = mysql_fetch_object($result))
{
$mid = urlencode($row->catid);
$name = htmlentities($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=' . $mid . '">' . $name .
'</a></td>';
echo '</tr>';}

echo '</table>';

unless you use utf-8 as the primary character set in which case use
htmlentities('string',ENT_QUOTES,'UTF-8');

It seems weird doesn't it, protecting your application against
characters from your *own* database, but this is the world we live in.
oops! I forgot to filter the id too, you should run it though the
validator you use when you put it into your query, removing all
characters that are not numbers, making sure its a number, and that it
falls within the limits your database will expect.

So, as a minimum, before taking characters and inserting them into the
html markup, you have to make sure that they contain NO html or
javascript, or if they do that it is inert.

The use of htmlentities can effectively take any characters that can
be used to inject fraudulent code into your page and hijack it.

I suppose you could do
$mid = htmlentities($row->catid);

and make sure that you check the $_GET['id'] before you include it in
the query you run against your table.

Mar 21 '07 #5

"shimmyshack" <ma********@gmail.comskrev i meddelandet
news:11**********************@b75g2000hsg.googlegr oups.com...
On 21 Mar, 17:17, "shimmyshack" <matt.fa...@gmail.comwrote:
>On 21 Mar, 16:54, "Lennart Anderson" <lennart.ander...@tele2.se>
wrote:
"shimmyshack" <matt.fa...@gmail.comskrev i
meddelandetnews:11**********************@e65g2000h sc.googlegroups.com...
On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander...@tele2.se>
wrote:
I want to present a table with main data. Each revord will have a
field
acting like a link to a new page with detailed data on the selected
record.
My problem is that I can't get the record-ID parsed into the link
parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_object($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name .
'</a></td>';
echo '</tr>';
}
echo '</table>';
>In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have
tested
every possible combinaion without success.
Any solution or hint is very much appreciated.
have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinfo.php?id=' . $mid . '">' . $name .
'</a></
td>';
EUREKA
I have tested your suggestion now and it work.
Don't know how to thank you.
Now I can keep some of the hair on mu head instead of rubbing it o0f in
deep
frustration.
Again thanks for the hint

cool, now make sure that you are secure by filtering the data that
comes from your database,
so I would actually do this:

while($row = mysql_fetch_object($result))
{
$mid = urlencode($row->catid);
$name = htmlentities($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=' . $mid . '">' . $name .
'</a></td>';
echo '</tr>';}

echo '</table>';

unless you use utf-8 as the primary character set in which case use
htmlentities('string',ENT_QUOTES,'UTF-8');

It seems weird doesn't it, protecting your application against
characters from your *own* database, but this is the world we live in.

oops! I forgot to filter the id too, you should run it though the
validator you use when you put it into your query, removing all
characters that are not numbers, making sure its a number, and that it
falls within the limits your database will expect.

So, as a minimum, before taking characters and inserting them into the
html markup, you have to make sure that they contain NO html or
javascript, or if they do that it is inert.

The use of htmlentities can effectively take any characters that can
be used to inject fraudulent code into your page and hijack it.

I suppose you could do
$mid = htmlentities($row->catid);

and make sure that you check the $_GET['id'] before you include it in
the query you run against your table.
Thanks.
Although I'm not yet too experienced in php I think I see what you mean and
will take this into consideration for my coming work. I'm trying to help my
daughter with a kind of advertisement and selling place for the Cayman
Islands.
Mar 21 '07 #6
Lennart Anderson kirjoitti:
I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected record.
My problem is that I can't get the record-ID parsed into the link parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_object($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';

In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.

The difference between ' and " is that php variables inside "" are
parsed but inside '' they are not. So "$foo" will be parsed as $foo the
variable, but '$foo' is seen as a literal string, a dollar sign followed
by the string foo.

--
Ra*********@gmail.com
"Olemme apinoiden planeetalla."
Mar 21 '07 #7

"Rami Elomaa" <ra*********@gmail.comskrev i meddelandet
news:et**********@nyytiset.pp.htv.fi...
Lennart Anderson kirjoitti:
>I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected
record. My problem is that I can't get the record-ID parsed into the link
parameter. Whatever I do will just let my $_GET['id'] give me what is
after the equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_object($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinfo.php?id=$mid">' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';

In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.

The difference between ' and " is that php variables inside "" are parsed
but inside '' they are not. So "$foo" will be parsed as $foo the variable,
but '$foo' is seen as a literal string, a dollar sign followed by the
string foo.

--
Ra*********@gmail.com
"Olemme apinoiden planeetalla."
Rami
Thank you
I thought I knew that but obviously I did a mistake. In such a link there
are a lot of " and ' together with .-dots. I thought I have tried all
combinations but ....
OK, you learn by mistakes, don't you. I am still a newbie.
Well, now I have got the solution to that problem but I am very convinced
that I will meet new problems and then it is very good to have found this
group.
Mar 21 '07 #8

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Thiemo Kellner | last post: by
4 posts views Thread by bearclaws | last post: by
4 posts views Thread by Mike Woinoski | last post: by
6 posts views Thread by Rod Snyder | last post: by
7 posts views Thread by Kurda Yon | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.