1

First of all, please excuse my noobish question. I'm building a blog platform and it all goes well, but I am totally unfamiliar with the $_GET method of PHP.

What I want to do is to have something like: when one goes to http://link.dom/blog.php?postid = 1 for example, the page should SELECT * FROM blog_posts WHERE id = 1.

Please note I don't ask for any code, but about what I have to do to achieve what I want.

Thank you in advance!

Cristian D
  • 673
  • 5
  • 21

2 Answers2

3

In Addition to Jay's Answer:

'SELECT * FROM blog_posts WHERE id = ' . (int)$_GET['postid'];

Note the (int). It is casting the postid to an integer, to ensure, it is not an injection.

Depending on your Error Level you should prepend following:

if (!isset ($_GET['postid']) || !is_number($_GET['postid'])) {
    die('Error!');
}
Christian Gollhardt
  • 16,510
  • 17
  • 74
  • 111
  • This appeals to me. I don't know enough PHP to know if it is really safe, but certainly the same concept in C# would be rock solid. –  May 19 '14 at 20:42
1

The variable value should be in $_GET['postid'] on blog.php You should be able to use that item in the $_GET array in any way you desire. For instance, you could place it in a variable - 

$postID = $_GET['postid']; // assigns the array value to a variable
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • So if I have for instance, more then one variable do I just separate them with `?` ? – Cristian D May 16 '14 at 17:31
  • No, the get separated with an ampersand `?foo=1&bar=2` and so on. – Jay Blanchard May 16 '14 at 17:33
  • 1
    Hah, I expected something way more complex, thank you! – Cristian D May 16 '14 at 17:33
  • 5
    Highly dangerous. You're encouraging [SQL injection attacks](http://bobby-tables.com). – Marc B May 16 '14 at 17:34
  • I'm not encouraging that @MarcB - I am just helping the OP to learn about query strings. But I'll edit and give a warning. – Jay Blanchard May 16 '14 at 17:36
  • 1
    I'm filtering the $_GET data before actually running the query. Learned the injection lesson on myself. – Cristian D May 16 '14 at 17:37
  • 1
    Prepared statements are the way to go here! :-) – gen_Eric May 16 '14 at 17:46
  • See here for how to use mysqli parameters: http://stackoverflow.com/questions/728229/parameters-in-mysqli Putting "CAUTION" after an example of what NOT TO DO really doesn't help... –  May 16 '14 at 17:47
  • 2
    @ebyrob the question is not about SQL queries - the question is about query strings. the SQL query displayed was a response to the OP's example, showing how the query string **could** be used. Would I be better off eliminating the query from the answer? – Jay Blanchard May 16 '14 at 17:51
  • @JayBlanchard Actually, if I may be so forward, yes. I think removing it is better. If you showed how to store the request variable into a PHP variable that would be a single, complete, and correct line of code. It would also fully answer the question as asked. –  May 19 '14 at 20:42
  • @ebyrob Yeah, that makes sense to me too. Changes made. – Jay Blanchard May 19 '14 at 21:18