-5

I have a php code below that outputs json array on the browser.

The php script is called like this: http://localhost/site/property.php

I would like to call it like this: http://localhost/site/property.php?propertyId=1&clientId=2

Where propertyId and clientId are columns of the property table. How can I change this script to achieve this

Thanks. I will really appreciate.

<?php 

    $connection = mysql_connect("localhost", "root", "");

    if(!$connection)
    {
        die('Could not connect: ' .mysql_error());
    }

    mysql_select_db("Mobile", $connection); 

    $result = mysql_query("SELECT * FROM property");

    while($row = mysql_fetch_assoc($result))
    {
        $output[]=$row;
    }

    Print(json_encode($output));
    mysql_close($connection);

?>
BlitZ
  • 12,038
  • 3
  • 49
  • 68
jack daniels
  • 19
  • 3
  • 7
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). When you start adding user inputted data to the query you will have to be careful to avoid [SQL injection attacks](http://bobby-tables.com/) that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin May 23 '13 at 10:37
  • 3
    What is the problem? Getting data from the URL? Adding conditions to the query? Constructing a query with variables instead of hard coding the whole thing? – Quentin May 23 '13 at 10:38
  • 2
    really,you ask us how to fetch GET variables? Isnt that first thing (or at least one of the first) you learn in PHP? – Bojan Kovacevic May 23 '13 at 10:42
  • This question doesn't show much research effort... – Menelaos May 23 '13 at 11:46

6 Answers6

2

You will get a lot of stick for this method but if you want it here it is.

$result = mysql_query("SELECT * FROM property WHERE propertyID = '".(int)$_GET['propertyID']."' AND clientID = '".(int)$_GET['clientID']."'");

Please, no haters :P

Ian Brindley
  • 2,197
  • 1
  • 19
  • 28
  • escape string for int? :) Isn't it better to use casting to **int** or `intval()` ? Ps. I am not hater :) – Robert May 23 '13 at 11:03
  • @Robert I know i know... In my haste to add some sort of filtering I just slapped in mysql_real_escape_string instead of a simple (int) typecast. Forgive me :P. Edited as it should have been done in the first place. The end is night for all this dynamic language cloudiness :) – Ian Brindley May 23 '13 at 11:41
1

First of all, mysql_* functions should NOT be used. For database transactions use mysqli_* functions (see http://php.net/manual/en/book.mysqli.php) or PDO (see http://php.net/manual/en/book.pdo.php).

You can do something like this:

$propertyID = (int) $_GET['propertyid'];
$clientID = (int) $_GET['clientid'];

$dbh = new PDO("mysql:host=$hostname;dbname=mysql", $username, $password);

$q = $conn->prepare("SELECT * FROM property WHERE property_id = ? AND client_id = ?");
$q->execute(array($propertyID, clientID));

while($r = $q->fetch()){
  print_r($r);
}
Rijndael
  • 3,683
  • 2
  • 24
  • 26
1

You'll have to check if "propertyId" and "clientId" are passed as URL-parameters (checking $_GET[<param>]) and then adapt your query accordingly. Using mysqli_* (instead of the deprecated mysql_*) and also prepared statements which protect against SQL Injection, your script could look like this.

$connection = mysqli_connect("localhost", "root", "");
              or die('Could not connect: ' . mysqli_connect_error());
mysqli_select_db($connection, "Mobile"); 

if (isSet($_GET["propertyId"]) && isSet($_GET["clientId"])) {
    $query = "SELECT * FROM property WHERE propertyId = ? AND clientId = ?";
    $stmt = mysqli_prepare($connection, $query);
    $stmt->bind_params("ii", (int)$_GET["propertyId"], (int)$_GET["clientId"]);
    $result = $stmt->execute();
} else {
    $result = mysqli_query($connection, "SELECT * FROM property");
}

while($row = mysqli_fetch_assoc($result)) {
    $output[] = $row;
}

Print(json_encode($output));
mysqli_close($connection);
gkalpak
  • 47,844
  • 8
  • 105
  • 118
0
$_GET['propertyId'];

will be set to propertyId from the url string

wheybags
  • 627
  • 4
  • 15
-1

Grab the GET variables:

$propertyId = filter_input(INPUT_GET, 'propertyId', FILTER_SANITIZE_NUMBER_INT);
$clientId   = filter_input(INPUT_GET, 'clientId', FILTER_SANITIZE_NUMBER_INT);

If the input is invalid then it cannot be used:

if ( ! filter_var($propertyId, FILTER_VALIDATE_INT))
    die('Invalid GET variable: propertyId');
if ( ! filter_var($clientId, FILTER_VALIDATE_INT))
    die('Invalid GET variable: clientId');

Then make sure the input is safe:

$propertyId = mysql_real_escape_string($propertyId, $connection);
$clientId   = mysql_real_escape_string($clientId, $connection);

And then add the variables to the query:

$query = sprintf(
    "SELECT * FROM property WHERE propertyId = %d AND clientId = %d",
    $propertyId, $clientId
);
$result = mysql_query($query);
// ...

Finally, you should switch over to a newer and better database driver, such as MySQLi (notice the i, which stands for "improved") or PDO. The MySQL driver is quite old and should not be used anymore. If you are stuck with it then be extra careful about what you put into the SQL query string -- you should always be careful, but newer drivers, when used correctly, shield you from many mistakes that can be made.

Sverri M. Olsen
  • 13,055
  • 3
  • 36
  • 52
-1

you may try like this 

<?php 

    $connection = mysql_connect("localhost", "root", "");

    if(!$connection)
    {
        die('Could not connect: ' .mysql_error());
    }

    mysql_select_db("Mobile", $connection); 
    $where ="";

    if(!empty($_REQUEST['propertyId']))
    {
    $pid=mysql_escape_string($_REQUEST['propertyId']);
    $where .=" AND propertyId='".(int)$pid."'";
    }
    if(!empty($_REQUEST['clientId']))
    {
    $cid=mysql_escape_string($_REQUEST['clientId']);
    $where .=" AND clientId='".(int)$cid."'";
    }
    $result = mysql_query("SELECT * FROM property WHERE 1=1".$where);

    while($row = mysql_fetch_assoc($result))
    {
        $output[]=$row;
    }

    Print(json_encode($output));
    mysql_close($connection);

?>
sAnS
  • 1,169
  • 1
  • 7
  • 10