Can not get the url parameter in PHP

Question

I am trying to get URL parameter in SQL, but nothing happens.

Here is my URL:

http://localhost/webshop/imagegallery.php?categori=necklace

Here is my SQL query:

$sql = 'SELECT count(productid) FROM products where productcategori=".$_GET["categori"]"';

What am I doing wrong?

Have a look at this query, too:

  $sql = 'select * from products join ids on products.productid=ids.productid join photos on photos.photosid=ids.photoid where products.productcategori='".$_GET["kategori"]."' && ids.photonumber=1 ORDER BY products.productid  DESC $limit';

Answer 1

First of all, your quotation marks seem to be the problem. Try changing your query line to this:

$sql = "SELECT count(productid) FROM products where productcategori='".$_GET["categori"]."'";

Further, you should never insert variables into a SQL query like this. Never. The reason is that like this, your system is vulnerable for SQL injections.

Instead consider using PDO. This SO question has a nice answer on how to do it correctly.

Using that answer, this is some example code regarding the last part of your question. Note that I replaced all variables in your query string by PDO placeholders.

<?php
$pdo = new PDO('mysql:dbname=mydatabase;host=127.0.0.1;charset=utf8', 'username', 'password');
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$sql = "SELECT * FROM products JOIN ids ON products.productid=ids.productid JOIN photos ON photos.photosid=ids.photoid WHERE products.productcategori=:categori && ids.photonumber=1 ORDER BY products.productid DESC LIMIT :limit_min , :limit_max";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':categori', $_GET['categori']);
$stmt->bindParam(':limit_min', ($pagenum - 1) * $page_rows, PDO::PARAM_INT);
$stmt->bindParam(':limit_max', $page_rows, PDO::PARAM_INT);
$stmt->execute();

foreach($stmt as $row) {
    // do something with $row
}
?>