-1

I acces my page passing some parameters through the URL:

www.mypage.com/page.php?aID=4091cdcd-773d-4ca5-bab2-41e1188870a9&sID=1_MX4yMjI1MTgxMn4xMjcuMC4wLjF-V2VkIERlYyAyNiAwOTo1MDoyNiBQU1QgMjAxMn4wLjg1MjA4MTF-&nam=Gab&tel=7777777777

then in my PHP code I have:

if(isset($_GET['sID'])) {
    $sID = $_GET['sID'];
}
if(isset($_GET['aID'])) {
    $aID = $_GET['aID'];
}
if(isset($_GET['nam'])) {
    $nam = $_GET['nam'];
}
if(isset($_GET['tel'])) {
    $tel = $_GET['tel'];
}

I have no problem retrieving $nam and $tel, but $aID and $sID always get an empty string. I have tried using double quotes (isset($_GET["aID"])) , but it has not made any difference.

Are there illegal characters on the string or a limit in size of a variable you can pass through the URL? How can I GET variables $aID and $sID?

$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aiD', '$siD', '$nam', '$tel' )";

echo $query;

Echo $query's output is:

INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('', '', 'Gab', '7777777777' )

GabCas
  • 778
  • 8
  • 28
  • 1
    Show us the result of `print_r($_GET);` You also have an error on your last `if` (should be `$tel = $_GET[tel];`) – Kermit Jan 04 '13 at 21:03
  • 1
    What do you see when you var_dump $_GET? – j08691 Jan 04 '13 at 21:04
  • @njk, actually it's a notice: undefined index. – Shoe Jan 04 '13 at 21:04
  • print_r($GET) = Array ( [aID] => 4091cdcd-773d-4ca5-bab2-41e1188870a9 [sID] => 1_MX4yMjI1MTgxMn4xMjcuMC4wLjF-V2VkIERlYyAyNiAwOTo1MDoyNiBQU1QgMjAxMn4wLjg1MjA4MTF- [nam] => Gab [tel] => 7877556257 ) thanks njk for noticing that. fixed it on an edit. – GabCas Jan 04 '13 at 21:06
  • 1
    @GabCas looks OK. Check for notices and typos. – Bart Friederichs Jan 04 '13 at 21:07
  • What aID and sID appear to have in common is hyphens in the value. – DWright Jan 04 '13 at 21:08
  • @GabCas: Instead of pasting the variable dump in a comment, please go back and edit the original posting and paste it in there so it's readable. – Andy Lester Jan 04 '13 at 21:09
  • 2
    possible duplicate of [How to prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) ***<<<--- Before you do anything else, read this first, understand it. It resolves your problem and tells you something very important about how to handle data in your software.*** – hakre Jan 04 '13 at 21:13

2 Answers2

4

Testing your URL, I get the following result:

Array
(
    [aID] => 4091cdcd-773d-4ca5-bab2-41e1188870a9
    [sID] => 1_MX4yMjI1MTgxMn4xMjcuMC4wLjF-V2VkIERlYyAyNiAwOTo1MDoyNiBQU1QgMjAxMn4wLjg1MjA4MTF-
    [nam] => Gab
    [tel] => 7777777777
)

Therefore, I'm not sure what you mean by you're getting an empty string. You did have a typo in your code, where $tel references $_GET['aID']. I would advise you verify your code.

I would recommend that you also use $_SERVER['REQUEST_METHOD'] to verify that your script is using GET.

Update

Per your updated query, it seems as though your case is incorrect. The variable name is case-sensitive.

$query = "INSERT INTO ... VALUES ('$aiD', '$siD', '$nam', '$tel' )";
                                     ^       ^

Should be:

$query = "INSERT INTO ... VALUES ('$aID', '$sID', '$nam', '$tel' )";
  1. You have to enable error reporting and logging to the highest level when you develop PHP.
  2. You have to check return values of methods you call to see if they did what you thought they did. You have to look for more error information if something failed.
  3. You have to look into prepared statements to prevent SQL injection.

And yes, mysql_* functions are deprecated. Do not use it for new code.

hakre
  • 193,403
  • 52
  • 435
  • 836
Kermit
  • 33,827
  • 13
  • 85
  • 121
  • I also added the next line of code where I construct a query with the variables and the 'echo' of that query. – GabCas Jan 04 '13 at 21:11
  • I also edited it and put two equally important points next to parametrized SQL queries. @GabCas Enable error reporting and logging to the highest level when you develop. PHP tells you about most of these mistakes on it's own. Then you don't need to stab in the dark. – hakre Jan 04 '13 at 21:18
0

You notice in your sql statement you are not calling the variables you defined:

$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aiD', '$siD', '$nam', '$tel' )";

should be:

$query = "INSERT INTO myTable (ArchiveID, SessionID, Name, Tel) VALUES ('$aID', '$sID', '$nam', '$tel' )";

and looks like njk updated his answer to reflect this so he should be credited for the answer.

Kai Qing
  • 18,793
  • 5
  • 39
  • 57