0

passing a query string in php but when its come to number its working fine but its come character its showing no id found where its is working fine in mysql server .kindly check the following code

Passing 

<a  class=" btn btn-danger navbar-left" target="_blank" style="width:100%" rel="nofollow, noindex"" href="Deals.php?id=<?php echo $row['productId'];?>">View Offer</a>

getting 

<?php
include 'Connection.php';
$id = $_GET["id"];
echo "id is".$id;




$query=mysql_query("select * from sdMobiles where productId='$id'") or die ("could not find ");

?>

and here is the page

with char http://sabkideal.com/Deals.php?id=MOBDXVTYVN6WCHNZ

with number id http://sabkideal.com/Deals.php?id=645588442716

enter image description here

Indian Thinking
  • 103
  • 1
  • 8
  • Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 14 '17 at 17:17
  • Stop using the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky Apr 14 '17 at 17:17
  • sql injection aside remember to use 'urlencode' and 'urldecode' if the data is capable of having a string of characters. – danielson317 Apr 14 '17 at 17:21
  • @danielson317 how to use this urlencode – Indian Thinking Apr 14 '17 at 17:28
  • `` Then on the other side: `$id = urldecode($_GET['id']);` – danielson317 Apr 14 '17 at 17:29
  • i just put it but still not fetching the result – Indian Thinking Apr 14 '17 at 17:33
  • What is the actual `productId` value in the database? Guessing case sensitivity, encoding related or there is no record with the specified productid. eg: `SELECT productId FROM sdMobiles` – Will B. Apr 14 '17 at 17:40
  • check the image – Indian Thinking Apr 14 '17 at 17:48
  • Remove `or die` from mysql_query and change to `if (!$query = mysql_query(...)) { echo mysql_error(); exit; }` and update your question with what it displays. – Will B. Apr 14 '17 at 17:56
  • its done thanks for all the guys – Indian Thinking Apr 14 '17 at 18:03

0 Answers0