How to use php?id=#blah

[Vovex Technology]

Ok,

This one is related to my MySQL loop post. I have a page titled viewclient.php which loops through my database of clients and posts them all on the page.

Now if I understand correctly, I should be able to to do the following : viewclient.php?id=4 and it should load the client with ID equal to four. However when I do this it still shows all the current clients and not just client 4.

Can someone help me?

 

[BlackStorm]

Try posting the code section that should load the client with id=X so people can see if there are any errors in it.
Quite a lot of scripts do this, including vBulletin, phpbb etc. for listing the forum, posts, threads and a load of other things.
If you are stuck you could even take a look those and see what way they are doing it.

 

[monaghan]

This is quite simple to do.

When preparing your SQL query, check to see if $id is not null, if so then add a

"where client = $id"

to the end ( or add this to the existing where clause)

Obviously you'll need to tidy this, but it should point you in the right direction.

 

[Vovex Technology]

Here is the code. I guess the problem is that I told the script to already loop through and post the listings.... not sure how to fix it.
----------------------------------------------------------------------------------

<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF" text="#000000">
Sort by: <br>
<br>
<table width="90%" border="0" cellspacing="0" cellpadding="2">
<tr>
<td width="5%"> </td>
<td width="26%" bgcolor="#CCCCCC"><b>Name</b></td>
<td width="22%" bgcolor="#CCCCCC"><b>Phone</b></td>
<td width="17%" bgcolor="#CCCCCC"><b>City / State</b></td>
<td width="30%" bgcolor="#CCCCCC"><b>Email Address</b></td>
</tr>

<?
$username="xxxxxxxxxxxx";
$password="xxxxxxxxxxxx";
$database="xxxxxxxxxxxx";

mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database CONTACTS");
$query="SELECT * FROM contacts";
$result=mysql_query($query);

$num=mysql_numrows($result);

mysql_close();

$i=0;
while ($i < $num) {

$first=mysql_result($result,$i,"first");
$last=mysql_result($result,$i,"last");
$address=mysql_result($result,$i,"address");
$suite=mysql_result($result,$i,"suite");
$city=mysql_result($result,$i,"city");
$state=mysql_result($result,$i,"state");
$zip=mysql_result($result,$i,"zip");
$phone=mysql_result($result,$i,"phone");
$fax=mysql_result($result,$i,"fax");
$email=mysql_result($result,$i,"email");

echo "<tr>";
echo "<td> </td>";
echo "<td><BR> $first $last<br></td>";
echo "<td><BR>$phone<BR></td>";
echo "<td><BR>$city , $state<BR></td>";
echo "<td><BR>$email<BR></td>";
echo "</tr>";

++$i;
}

?>
</table>
</body>
</html>

 

[monaghan]

Something like this should do the trick, you might need a bit of tweaking, but it should give you the idea.

$query="SELECT * FROM contacts";

if($id) {
$query .= " WHERE contacts_id=$id"
}

$result=mysql_query($query);

 

[diginode]

Remember to use addslashes($id) to properly escape the variable so the SQL can't be exploited.

Something like this should do the trick, you might need a bit of tweaking, but it should give you the idea.

$query="SELECT * FROM contacts";

if($id) {
$query .= " WHERE contacts_id=$id"
}

$result=mysql_query($query);

 

[dacsoft]

Remember to use addslashes($id) to properly escape the variable so the SQL can't be exploited.

Can you explain that with an example? thanks

 

[monaghan]

It's called SQL Injection, you can "inject" additional SQL into a query string.

Have a look at http://www.php.net/manual/en/function.addslashes.php for the necessary PHP functions and examples.

It's sometimes possible to insert "valid" SQL into an application and gain almost unrestricted access to the underlying RDBMS through creatively crafted SQL.

For example on an MS SQL box you have an xp_cmdshell, that if permissions are not tight and you don't check for "SQL Injection", then you can run ANY command on that server from a simple web page based query

 

[GordyMac]

Jonathan, if you didnt solve your problem, gimme a holler on AIM and I'll show ya some of the stuff I did like this before, you can just modify my code, should work perfectly for you.

 

[Vovex Technology]

Gordy: Yay, I love easy work
I'll drop you an IM next time I see you online.