-2

I'm trying to learn PHP and I've started with a simple CRUD project. I've basically downloaded some source code and I'm just trying to work through it. When I got to the delete part of the CRUD project I came across this code:

include 'connect.php';
$id = $_GET['id']; // What does this line do?
$table = 'book';
$query = "DELETE FROM $table WHERE id_book=$id";
$result = mysqli_query($connect, $query) or die(mysqli_error($connect));
header('location: index.php');

I'm really confused by this line:

$id = $_GET['id'];

When I did some searching on Google the only thing I found was a short description from some similar code that said 'getting id from URL'. This made no sense to me. What does this line actually doe and what gets stored in the $id variable?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
yay123
  • 121
  • 2
  • 2
  • 5
  • Ever saw a url that looks like this `http://www.example.com/index.php?id=123` ? – frz3993 Dec 16 '15 at 19:48
  • 1
    In this case, it makes your code SQL Injectable. It reads `42` from a URL like this: `file.php?id=42`. However, no validation is performed, so Someone could inject anything. – Alexander O'Mara Dec 16 '15 at 19:48
  • saw a similar question like this just yesterday. Too bad you guys weren't neighbours. – Funk Forty Niner Dec 16 '15 at 19:49
  • Look into prepared statements; http://php.net/manual/en/mysqli.quickstart.prepared-statements.php. Although not related to your question this code can very easily get all of your books deleted. – chris85 Dec 16 '15 at 19:51
  • yeah I'm just trying to understand how everything simply works before worrying about security I understand the importance however this project will do nothing but be on my computer – yay123 Dec 16 '15 at 19:54
  • can someone please explained to me why my question has been negatively marked. I'd like to know for future reference why it's bad question? Could the person who marked it down please explain – yay123 Dec 16 '15 at 20:03

3 Answers3

2

$_GET['id'] is referring to an URL parameter. Here is an example:

http://www.yourdomain.com?id=1&name=Taylor&city=London

Given the URL above, you can get the values of the URL parameters id, name and city with $_GET['id'], $_GET['name'] and $_GET['city'].

Furthermore as said in the comments your line $query = "DELETE FROM $table WHERE id_book=$id"; is not secure. Have a look at prepared statements.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Koga
  • 555
  • 1
  • 5
  • 18
  • yeah it's wierd because on the source code I have the form is sent with POST so I thought that meant nothing would go in the url so the line meant no sense to me – yay123 Dec 16 '15 at 19:57
  • but if the form action is `action='file.php?id=11'` then it makes senses to use both –  Dec 16 '15 at 19:59
  • A POST form request also can contain GET parameters. Basically GET parameters are all parameters in your URL. – Koga Dec 16 '15 at 20:00
0

If you have a URL with http://www.yourdomain.com?id=1,

$id = $_GET['id'];

The ID is $_GET['id'];.

Look at $_GET.

But it's not the best way... Look at filter_input.

Your code require validation for $id (look at Validate filters).

And for the database, use PDO instead (The PDO class).

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Imaginaerum
  • 769
  • 8
  • 22
  • they're looking for an explanation here. – Funk Forty Niner Dec 16 '15 at 19:50
  • 3
    `$HTTP_GET_VARS [deprecated]` not $_GET. as per your own link http://php.net/manual/en/reserved.variables.get.php. Did you not read this yourself? If $_GET ever were deprecated, they'd be some pretty angry coders out there, including myself. – Funk Forty Niner Dec 16 '15 at 19:54
  • 1
    then please edit your answer, it's incorrect and deceiving/misleading for the OP and future readers to your answer. Edit: thank you. – Funk Forty Niner Dec 16 '15 at 19:57
0

You have two basic calls you'd make from your browser to this PHP script. You'd either use "GET" or "POST". $_GET has the variables passed in to your PHP script as a key-value pair. For example, if you executed a GET request like this: http://yoururl?usermail=abc@gmail.com&id=1275, then $_GET would have two keys: usermail and id. $_GET["id"] would have a value of 1275 - and in your PHP script, this would be inserted into the SQL statement.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Bob Dill
  • 1,000
  • 5
  • 13