By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,654 Members | 1,513 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,654 IT Pros & Developers. It's quick & easy.

href to pass variables

P: 3
I am using an href to pass a content (which end up being an include file) variable and a variable to use in an SQL querry. When I do it the content variable works fine but with variable to be used in the search querry triggers a "Unknown column in where clause" error.

here's the href:

echo "<tr><td><a href=\"index.php?content=Planet&id=$pname\"><img src=\"$image\"width=\"80\"height=\"64\"alt=\"$pnam e\"/a></td>";

I use it in a star map for sci fi game and want players to click on the star picture that brings them into a planetary system.
Mar 21 '10 #1
Share this Question
Share on Google+
5 Replies


guillermobytes
P: 77
can you show the query?
Mar 21 '10 #2

P: 3
$pname = $_GET['id'];


echo "<h2>$pname</h2>\n";

$query = "SELECT pname,Metal FROM planets where StarName = $pname ";
Mar 21 '10 #3

guillermobytes
P: 77
Do you have a column named StarName in your table?
it looks like you'd better replace StarName with pname.
what i don't understand is why you want your StarName to be the same as your planet name
Mar 22 '10 #4

P: 50
You should probably escape your values huge security risk. Imagine I were on your site I could replace your the id in your URL.

xx.com?id=5;DROP TABLE x;

And so on sense SQL commands are terminated by semicolons I could do some heavy damage to your database. Even have it write all the contents to a text file and view that file then I know everything in your database. Use mysql_real_escape_string on ALL values before submitting them to the database.

Causes:

A: You don't have a field labeled StarName as stated above.

B: If your StarName is suppose to be a string as the field name indicates it is how about obeying SQL standards and enclosing it in quotes.
Expand|Select|Wrap|Line Numbers
  1. SELECT `pname`, `Metal` FROM `planets` WHERE `StarName`='{$pname}'
Always properly escape SQL or like you have witnessed you can encounter errors like crazy.
Mar 22 '10 #5

P: 3
I am a novice with PHP and SQL together but have taken a couple online classes so I am not TOTALLY in the dark. I simply want an easy way for someone to click on a table cell and have that click take them to a single record in an SQL database.

I prefer not to use JAVA since I know absolutely nothing about it.

Any ideas?
Mar 23 '10 #6

Post your reply

Sign in to post your reply or Sign up for a free account.