loop through $_GET results

Question

If I had something like this:

?FormSub=Submit&qty=1&partno=ipod&notes=apple&unitprice=102.99&rowid=1&qty=2&partno=Ear+Buds&notes=Headphones&unitprice=45.99&rowid=2

Is it possible to loop through the GET's to return results into a HTML table and also add to a SQL table?

Or would I need to add the rowid to then end of every $_GET (i.e. qty1=1&partno1=ipod...)?

Thanks for looking.

@Skilldrick: obligatory link to the Little Bobby Tables comic: http://xkcd.com/327/ — Dinah, Aug 03 '09 at 13:48
If you're going to link to Bobby Tables, you might as well link to http://bobby-tables.com which has useful information on how not to get SQL injected as well as the cartoon. — Andy Lester, Aug 29 '13 at 13:19

Dinah · Answer 1 · 2010-04-28T17:46:50.050

50

You can loop through $_GET though. It's just an array:

foreach ($_GET as $key => $value) { }

When you go through to make your SQL queries, remember to sanitize all of your inputs. Likewise for displaying values on the page. Use htmlentities to sanitize for HTML display. Assuming your database is MySQL, use mysql_real_escape_string for SQL.

edited Apr 28 '10 at 17:46

answered Aug 03 '09 at 13:05

Dinah

52,922
30
133
149

[Some say](https://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars) that `htmlspecialchars` is better than `htmlentities`, the choice to the reader. – reallynice Oct 27 '17 at 07:18

score 8 · Answer 2 · answered Aug 03 '09 at 13:12

$_GET is an array .. so you can just iterate over it using foreach

foreach($_GET as $query_string_variable => $value) {
   echo "$query_string_variable  = $value <Br />";
}

you can also do extract($_GET) to make all of them as variable .. but I wont suggest it.

If you want to save it to db you should consider mysql_real_escape_string($value).

To print a HTML table .. do you want something like this ??

$count = count($_GET);
if($count > 0) {
  echo "<table>";
    foreach($_GET as $query_string_variable => $value) {
       echo "<tr><td>$query_string_variable</td><td>$value</td></tr>"
    }
  echo "</table>";
}

hope this helps.

+1, but `$query_string_variable` is a bit long and unwieldy. Something like `$key` or `$param` is much easier to read. — DisgruntledGoat, Aug 03 '09 at 15:18

score 6 · Answer 3 · answered Aug 03 '09 at 13:25

6

watch out! someone could easily alter this and submit:

?FormSub=Submit&qty=1&partno=ipod&notes=apple&unitprice=0.99&rowid=1&qty=2&partno=Ear+Buds&notes=Headphones&unitprice=0.05&rowid=2

note: "unitprice" was 102.99 and 45.99, but have been changed to 0.99 and 0.05, I guess they are on sale now at a great price!

answered Aug 03 '09 at 13:25

KM.

101,727
34
178
212

1

Good call! Amazon once had a hole in their code that wasn't too much more advanced than this. There were indeed some people that got some items at a great price. – Dinah Aug 03 '09 at 13:27
Yeah, thanks for your concern - this is an intenal quoting system...not for Joe Public..... – Aug 03 '09 at 13:28
1

@Bifter, even if this is for "internal" usage, it is still isn't a very good way of doing it – KM. Aug 03 '09 at 13:40
6

Do validate everything. Malice isn't the only reason this kind of stuff can go wrong. Errant keystrokes, people bookmarking your page with this data in the GET string, and many other reasons can keep this from working as you intend. Users, especially non-tech savvy ones, have a weird way of making things happen that you never thought would. – Dinah Aug 03 '09 at 13:45
2

some users will learn to navigate your application by editing the URL (they will find it is quicker than using the menus/screens), but this can cause issues if you don't code defensively – KM. Aug 03 '09 at 15:24

Gumbo · Answer 4 · 2009-08-03T13:17:51.717

See the FAQ How do I create arrays in a HTML <form>?

So in your case a request of:

?FormSub=Submit&qty[]=1&partno[]=ipod&notes[]=apple&unitprice[]=102.99&rowid[]=1&qty[]=2&partno[]=Ear+Buds&notes[]=Headphones&unitprice[]=45.99&rowid[]=2

would create an array of the form:

array(
    'FormSub' => 'Submit',
    'qty' => array(
        0 => '1',
        1 => '2'
    ),
    'partno' => array(
        0 => 'ipod',
        1 => 'Ear Buds'
    ),
    'notes' => array(
        0 => 'apple',
        1 => 'Headphones'
    ),
    'unitprice' => array(
        0 => '102.99',
        1 => '45.99'
    ),
    'rowid' => array(
        0 => '1',
        1 => '2'
    )
)

But I hope you don’t accept those values without validation or even use it for an actual order.

Additionally GET is intended to be used for data retrieval only:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval.

For requests with side effects (alteration of data on the server) you should use POST.

loop through $_GET results

4 Answers4

Linked