Request to get the id from database is not working

Question

Hi guys I am new in php I just started learning it I am making a simple e-commerce website using xampp local server I am facing this problem when i use get method for retrieving the specific id of a row:

  if (isset($_GET['id'])) {
           $id = mysqli_real_escape_string($_GET['id']);
                $sql = "SELECT * FROM items WHERE id= '$id'" ;
                $run = mysqli_query($conn, $sql) or die ('error');
              while($row=mysqli_fetch_array($run, MYSQLI_ASSOC)){
                  $discounted_price = $row['item_price'] - $row['item_discount'];

                  echo "
                       <div class='col-md-6'>
                       <h3 class='pp-title'>$row[item_title]</h3>
                       <img src='$row[item_image]' class='img-responsive' >
                       <div class='bottom'>

                       <div class='pull-right cutted-price text-muted'><del>$ $row[item_price]</del></div>
                       <div class='clearfix'></div>
                       <div class='pull-right disscounted-price'>$$discounted_price</div>
                       </div>
                       <h4 class='pp-dsc-title'>Description</h4>
                       <div class='pp-dsc-detail'>$row[item_description]</div>
                       </div> 

               ";
              }
           }else {
                echo "The request is not working";
            }

The URL I am trying to access this on is below:

http://localhost/ec/items.php?item_title%20=%20Beautiful-brown-Watch&id%20=%201

I am getting the else output "the request is not working" if i remove the if statement from above and simply write in the query id = '1' or '2' the data appear on web page but when i do for a specific id it doesn't work i use mysqli_real_escape_string for get rid of SQL injection if that is not proper way to get rid of SQL injection then guide me.

No `mysqli_real_escape` is not the way to avoid SQL injections. This [answer](https://stackoverflow.com/a/60496/3072566) has all you need to know — litelite, Jul 19 '17 at 18:43
Your error message means that the parameter `id` is not present in `$_GET`. Are you calling your PHP page with something like `http://localhost/foo.php?id=X`? (where X is the id you want ) — litelite, Jul 19 '17 at 18:45
@ litelite this is my link http://localhost/ec/items.php?item_title%20=%20Beautiful-brown-Watch&item_id%20=%201 — johncasio, Jul 19 '17 at 18:53
@johncasio please paste the exact URL you are trying to access in the question — Peter Featherstone, Jul 19 '17 at 18:53
@ Peter Featherstone this is the url http://localhost/ec/items.php?item_title%20=%20Beautiful-brown-Watch&id%20=%201 — johncasio, Jul 19 '17 at 18:58
@johncasio don't post it in the comment. Instead edit your question to include it — litelite, Jul 19 '17 at 18:58

Peter Featherstone · Accepted Answer · 2017-07-19T18:59:56.150

You are checking for the $_GET variable id yet you are passing in the parameter item_id according to your link.

In addition to this you also have extra spaces in your query string parameters which is causing the strange %20 you are seeing in your URL, so please strip these out.

To get this working, you either need to change your URL to:

http://localhost/ec/items.php?item_title=Beautiful-brown-Watch&id=1

Or update your code to:

if(isset($_GET['item_id'])) {
   $id = mysqli_real_escape_string($_GET['item_id']);

You also need to check out parameterized queries as mysqli_real_escape_string() is not the way to keep yourself safe.

A great post on this can be found here How can I prevent SQL injection in PHP?

score 1 · Answer 2 · answered Jul 19 '17 at 18:55

1

Your code expect a parameter called id while you pass one called item_id change your URL to

http://localhost/ec/items.php?item_title=Beautiful-brown-Watch&id=1

And it should work.

Also note that when creating URL you should not include any space.

answered Jul 19 '17 at 18:55

litelite

2,857
4
23
33

Request to get the id from database is not working

2 Answers2