2

I have a vertical menu bar that has categories and these categories have products under them. The URL seen when I hover over the category is ..../index.php?catid=1

For instance I have

category- SCHOOLS (catid=1)
products - NPS, DPS...

In order to display the products, I need to use $_GET to get the 'catid' from the URL when I hover over the product.

This is the code for that part:

$fetchedcatid = $_GET['catid'];
$resultLIst = array();
$i = 0;
$sql="Select * from product_master where id = ".$fetchedcatid;
$query=mysql_query($sql) or die(mysql_error());

This gives me a MYSQL error since the catid is not stored in $fetchedcatid.

Please help. Thanks.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
amita
  • 21
  • 1
  • On reading your question more closely...do you need to get the catid when you hover, or when you click that link? If you click a link with a query string (the ?catid=1 part) PHP will/should get it, but your use of "hover" makes me think javascript is involved. – BrianH Mar 17 '13 at 05:36
  • I need it when i hover..so it cant be done without javascript? – amita Mar 17 '13 at 06:19
  • 2
    Nice [SQL injection hole](http://bobby-tables.com). Enjoy having your server pwn3d. – Marc B Mar 17 '13 at 06:48
  • Oh, so you do need it when you hover! Your problem isn't with PHP or the web server, it's that hovering over a link doesn't send a request to the server at all, and thus no variables in _GET until you click. That just won't work without javascript - or until you click :) If you need help post a new question specifically about what you are trying to accomplish, including html (or ideally a jsfiddle). – BrianH Mar 18 '13 at 04:16

3 Answers3

2

you need check first that catid is set before use also use of singleton is also not good option 

if(isset($_GET['catid'])){
 // other stuff use $_GET['catid']

}

you can also use is_int or ctype_digit to make sure that id have only digit

Warning

your code is vulnerable to sql injection you need to escape all get, post and request and the better approach will be using Prepared statement

Good Read

  1. How to prevent SQL injection in PHP?
  2. Are PDO prepared statements sufficient to prevent SQL injection?

Note

  1. The entire ext/mysql PHP extension, which provides all functions named with the prefix mysql_, is officially deprecated as of PHP v5.5.0 and will be removed in the future. So use either PDO or MySQLi

Good read

  1. The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead
  2. PDO Tutorial for MySQL Developers
  3. Pdo Tutorial For Beginners
Community
  • 1
  • 1
NullPoiиteя
  • 56,591
  • 22
  • 125
  • 143
0

Initiate a test on the $_GET['catid'] variable 

$fetchedcatid = isset($_GET['catid']) ? $_GET['catid'] : FALSE;

if($fetchedcatid) { 
  // do stuff here 
  // you will want to sanitize this variable especially when using it in a mysql_query statement
 //For Example:

$resultLIst = array();
$i          = 0;
$sql        = "Select * from product_master where id = ".mysql_real_escape_string($fetchedcatid);
$query      = mysql_query($sql) or die(mysql_error());
}
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Ryan
  • 14,392
  • 8
  • 62
  • 102
0

My understanding is that you are having a problem with the $_GET variables, not whether or not they are set (while all good points, I don't think that's the main problem the OP has).

Try:

<?php 

if(empty($_GET)) 
echo "_GET is empty"; 
else 
print_r($_GET); 

?>

If you aren't getting any variables then there is a problem with your configuration settings, perhaps _GET is disabled or is being reassigned to some other variable by a framework?

PHP Documentation for GET, POST, and REQUEST

BrianH
  • 2,140
  • 14
  • 20
  • I think its very likely that _GET is disabled...because Ive tried the stuff above! Any idea how I can change that? – amita Mar 17 '13 at 06:22
  • It appears to be a configuration problem on your system. Assuming you aren't using a front-controller of programming framework, the most common cause of this is incorrect URL rewriting (through Apache/.htaccess, etc). Try XAMPP (portable or installed) and see if your code works or not. http://www.apachefriends.org/en/xampp.html – BrianH Mar 18 '13 at 04:10