0

how i can make example: post.php and when somebody goes to post.php to show all posts and when somebody click on one post to show in URL post.php?id=1(id=1 by id in database? and when it types post.php?id=2 to go to id 2 in database and show all datas from row of table by id 2)

rood
  • 15
  • 4

1 Answers1

0

Use the $_GET method to pass the url. At the top of the php file you can access the information posted in the url using the global $_GET['id']. You can check if it is set, and depending on whether or not it is, show information regarding that id from the database.

It might look something like this:

if (isset($_GET["id"])) {
    $id = $_GET["id"];
    $query  = "SELECT * table WHERE id = {$id} LIMIT 1;";
    $result = mysqli_query($connection, $query);

    while ($row = mysqli_fetch_assoc($result)){
        echo $row["id"];
        echo $row["name"];
        echo $row["someOtherAttribute"];
    }           
}

Make sure you have your connection and your database set up and whatnot, but thats how you would accomplish this.

Ian
  • 12,538
  • 5
  • 43
  • 62
  • Thanks, but its now vulnerable to XSS, how to secure it ? – rood Aug 21 '14 at 18:13
  • Check out this [page](http://stackoverflow.com/questions/71328/what-are-the-best-practices-for-avoiding-xss-attacks-in-a-php-site). Incorporate these practices with the above code and you should be alright. For the purpose of simplicity, I left out some XSS and sql injection prevention techniques. – Ian Aug 21 '14 at 18:18
  • Nothing, $query = "SELECT * FROM projects WHERE id =".mysql_real_escape_string($id)." LIMIT 1"; When i type "project.php?id=" its give me error : Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\WEB\project.php on line 10 and such as when i add " ' " to url and its vuln – rood Aug 21 '14 at 18:31
  • Try using `mysqli_real_escape_string`. Docs found [here](http://www.w3schools.com/php/func_mysqli_real_escape_string.asp). And maybe separate it so the line `$id = $_GET["id"];` is `$id = mysqli_real_escape_string($_GET['id']);` and then using the {$id} syntax – Ian Aug 21 '14 at 18:36