0

I have the following php it works fine, and open the detail.php page with correct id.

<a href="contents/details.php?b_id=<?php echo $business["id"]; ?>" style="text-decoration:none; color:#000;"><h1 style="text-transform:capitalize; margin-bottom:5px;"><?php echo $business["name"]; ?></h1></a>

here is the url re-writing rule:

RewriteRule ^b_id-([a-zA-Z0-9_-]+)-([0-9]+).html$ contents/details.php?b_id=$2

now trying to change the above php to work with the rewriterule, here is the updated php:

<a href="contents/details.html?b_id=<?php echo $business["id"]; ?>-<?php echo $business["name"]; ?>.html" style="text-decoration:none; color:#000;"><h1 style="text-transform:capitalize; margin-bottom:5px;"><?php echo $business["name"]; ?></h1></a>

this produce the following RUL and ERROR:

http://localhost/sbd/contents/details.html?b_id=12-Testing%20my%20own%20business.html

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'my own business.html' at line 1

here is the sql query:

public function getBusiness($business_id) { // If business id null then this function returns whole businesses.
    $selectQuery = "SELECT b.name, b.description, b.address_1, b.address_2, b.location, b.ph_office, b.ph_cell, b.fax, b.email, b.website, b.image, b.image_1, b.image_2, b.image_3, b.contact_person, city.name as city, cat.name as category, country.name as country_name, region.name as region_name FROM tbl_business as b INNER JOIN tbl_city as city ON city.id = b.location INNER JOIN tbl_category as cat ON cat.id = b.category_id LEFT OUTER JOIN tbl_country as country ON country.country_iso = b.country_iso INNER JOIN tbl_region as region ON region.id=b.region WHERE b.id = ". $business_id;
    //$selectQuery = "SELECT * FROM tbl_business WHERE id=25";
    $resultSet = mysql_query($selectQuery) or die(mysql_error());
    $dataArray = array();
    if(mysql_num_rows($resultSet) > 0) {
        $row = mysql_fetch_array($resultSet);
        //print_r($row); exit;
        if($row["image"] == "") {
            $row["image"] = "images/noimage.jpg";
        }
        else {
            $row["image"] = "uploads/". $row["image"];
        }
            $dataArray = array(
                "name" => str_replace("^", "'", $row["name"]),
                "description" => str_replace("^", "'", $row["description"]),
                "address_1" => str_replace("^", "'", $row["address_1"]),
                "address_2" => str_replace("^", "'", $row["address_2"]),
                "location" => str_replace("^", "'", $row["location"]),
                "ph_office" => str_replace("^", "'", $row["ph_office"]),
                "ph_cell" => str_replace("^", "'", $row["ph_cell"]),
                "fax" => str_replace("^", "'", $row["fax"]),
                "email" => str_replace("^", "'", $row["email"]),
                "website" => str_replace("^", "'", $row["website"]),
                "image" => $row["image"],
                "contact_person" => str_replace("^", "'", $row["contact_person"]),
                "city" => $row["city"],
                "category" => $row["category"],
                "country_name" => $row["country_name"],
                "multiple_images" => array($row["image_1"], $row["image_2"], $row["image_3"]),
                "reviews" => $this->getAllReviews($business_id),
                "region_name" => $row["region_name"]
            );
    }
    return $dataArray;
}

and here is the php:

$b_id = $_REQUEST["b_id"];
if($b_id == "") {
    header("Location:../index.php");
}
$dal = new DataAccess();
$detailsArray = $dal->getBusiness($b_id);

//print_r($detailsArray["multiple_images"]); exit;
$address = "";
if($detailsArray["address_1"] != "") {
    $address .= $detailsArray["address_1"] . ", ";
}

if($detailsArray["address_2"] != "") {
    $address .= $detailsArray["address_2"] . ", ";
}
$address .= $detailsArray["city"] . ", " . $detailsArray["region_name"] . ", " . $detailsArray["country_name"];
//echo $address;
?>

Regards:

Muhammad
  • 267
  • 4
  • 9
  • 24

2 Answers2

0

If your rewrite rule 

RewriteRule ^b_id-([a-zA-Z0-9_-]+)-([0-9]+).html$ contents/details.php?b_id=$2

is right, then you should first echo $business["name"] var and then $business["id"]:

<a href="contents/details.html?b_id=<?php echo $business["name"]; ?>-<?php echo $business["id"]; ?>.html" ...

Or change your rewrite rule to:

RewriteRule ^b_id-([0-9]+)-([a-zA-Z0-9_-]+).html$ contents/details.php?b_id=$1
u_mulder
  • 54,101
  • 5
  • 48
  • 64
0

You have several errors: First of all, the link you have is not matched by your rewrite rule, because it links to

contents/details.html?b_id=<?php echo $business["id"]; ?>-<?php echo $business["name"]; ?>.html

Even if you would correct that to the following, your rule will fail because your title contains spaces.

/b_id-<?php echo $business["name"]; ?>-<?php echo $business["id"]; ?>.html

I recommend translating $business["name"] to a seo-title (e.g. all lowercase, replace all non-alfanumeric characters with - and all multiple instances of - with a single -. Your rule should then work just fine.

$title = 'A Purple PolarBear\'s Meal';
$seo_title = preg_replace( '/[^a-z0-9]+/', '-', strtolower( $title ) );
echo $seo_title; //penguin; I mean: a-purple-polarbear-s-meal

The error you get is related to SQL (obviously). I suspect you do not sanitize your data enough, resulting in an invalid query. The same thing can be abused by an attacker to expose confidential data (such as passwords) via mysql injection or gain control over your site. See this question for more information on that and how to prevent that.

Community
  • 1
  • 1
Sumurai8
  • 20,333
  • 11
  • 66
  • 100
  • added the following but still the sql error: .html" style="text-decoration:none; color:#000;">

     – Muhammad Feb 02 '14 at 08:45
  • Of course it still gives a mysql error. You did add some information since my answer and your sql statement is indeed vulnerable to mysql injection. Click the final link in my answer. – Sumurai8 Feb 02 '14 at 08:51
  • Dear sumurai8, you are right, but here the problem is of url rewrite not with sqlinjection, I am new in web development so, couldn't understand, what is in the link? how to currect this url rewrite? – Muhammad Feb 02 '14 at 09:03
  • 1
    No, the rewrite won't cause a sql error, ever. An error in your code can cause that - or in this case expecting the input to be sane. Do `echo $selectQuery;` and copy/paste the resulting string into an interactive mysql console. That way you find out what exactly might be wrong with your query. `$business_id` seems to contain data you are not expecting. – Sumurai8 Feb 02 '14 at 09:18
  • now this is url : http://localhost/sbd/contents/details.html?b_id=testing-my-own-business-12 here is the error: Unknown column 'testing' in 'where clause' – Muhammad Feb 02 '14 at 09:26
  • how can I echo $selectQuery; ? and can I use the phpmyadmin to test the query? – Muhammad Feb 02 '14 at 09:29
  • Yes you can use phpmyadmin if needed. You know how to use `echo`. It simply allows you to print the query as it is sent to the database, to your screen. This in turn allows you to copy that... The error `Unknown column 'testing' in 'where clause'` means that it found the combination of characters `testing` in a context where it expected a column name. This context is the 'where clause' of the query and there is no such column as `testing` in your database. I leave you to it to determine *why* this is. (hint: [I said you should read this](http://stackoverflow.com/q/60174/2209007) – Sumurai8 Feb 02 '14 at 11:13