0

SQL query like this,

$uid = $_GET['id'];
$result = mysql_query("SELECT name, lastname, email FROM users WHERE id = '$uid'");

How to print a 404 header if the id != value of $_GET['id']?

Steve Robbins
  • 13,672
  • 12
  • 76
  • 124
Johan Larsson
  • 175
  • 5
  • 17

2 Answers2

4
$uid = mysql_real_escape_string($_GET['id']);
$result = mysql_query("SELECT name, lastname, email FROM users WHERE id = '{$uid}'");
if (!result || mysql_num_rows($result) == 0)
    header("Status: 404 Not Found");

Also note, you should move away from deprecated mysql_* functions.

Also also note, Bobby Tables.

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Steve Robbins
  • 13,672
  • 12
  • 76
  • 124
  • I'm getting an error, Warning: Cannot modify header information - headers already sent... at the same line where I placed the code. (You are on the right track for solving the issue) – Johan Larsson Aug 20 '12 at 23:51
  • If you're using PHP 5.4 you can also use `http_response_code()` http://www.php.net/manual/en/function.http-response-code.php. – JamesArmes Aug 20 '12 at 23:51
  • @JohanLarsson That's a separate issue. http://stackoverflow.com/questions/8028957/headers-already-sent-by-php – Steve Robbins Aug 20 '12 at 23:52
  • "Move away from" is a polite way of saying "You should never have used them in the first place" because they're extremely dangerous if not used correctly, and way too easy to use incorrectly. It would not be a bad idea to rip out all your `mysql`-based code and replace it with `mysqli` or PDO right now because you will have to do this eventually anyway. – tadman Aug 21 '12 at 06:28
1

Not really sure which id you refer to, but you are looking for something along the lines of:

if (id != $_GET['id'])
    header("Status: 404 Not Found");
mash
  • 14,851
  • 3
  • 30
  • 33