PHP link to template page with database content

Question

I am setting up a webpage for a student organization with bios for the officers along with pictures and whatnot.

the first page simply is html and css. it has a picture, name under it and a link to the full bio where it links to "bio.php?id=" and then the id in my SQL database for that person.

now i am trying to make the php page to allow a simple template php page using the user's id. unfortunately when i do everything that I think is right, I get an odd error.

here is my code

<html>
<body>
<?php

//connection to database 
//specify database 

 $id= $GET['id'];

 $sql = " SELECT * FROM Members_table WHERE Id='$id' ";
 $result = mysql_query($sql) or print ("Can't select entry from table bloghomepage.<br />" . $sql . "<br />" . mysql_error());

 WHILE($row = mysql_fetch_array($result)) {
    $name = $row['Name'];
    $position = $row['Position'];
    $major = $row['Major'];
    $hometown = $row['Hometown'];
    $awards = $row['Awards'];
    $bio = $row['Description'];
    $act = $row['Activities'];
    $pic = $row['Picture'];
    $misc = $row['other'];


   ?>
   <h1><?php print $name; ?></h1>
   <p><?php print   '<img src="' . $pic . '"'; ?>
   <?php } ?>
</body>
</html>

This is what i see on my webpage:

" . $sql . " " . mysql_error()); WHILE($row = mysql_fetch_array($result)) { $name = $row['Name']; $page_id= $id; $position = $row['Position']; $major = $row['Major']; $hometown = $row['Hometown']; $awards = $row['Awards']; $bio = $row['Description']; $act = $row['Activities']; $pic = $row['Picture']; $misc = $row['other']; ?>

and thats all. any ideas what i am doing wrong?

You should read about [SQL injections](http://www.owasp.org/index.php/SQL_Injection) and why [error messages can disclose sensitive information](http://www.owasp.org/index.php/Information_Leakage). — Gumbo, Apr 03 '11 at 16:33
As @Gumbo states, you need to brush up on SQL injection issues. See the existing [Best way to stop SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php) question/answers for more info. — John Parker, Apr 03 '11 at 16:38

score 1 · Answer 1 · answered Apr 03 '11 at 16:27

1

you just don't have PHP enabled on your host.

Hint: always see page source, not picture rendered by browser. It's HTML code being result of your PHP script, so, you have to check HTML code, not a picture rendered from it.

answered Apr 03 '11 at 16:27

Your Common Sense

156,878
40
214
345

well I am running the file locally (though I have tried uploading it too). so I need to find somewhere that allows he to allow php for that database or in general? other php pages are working in the same site.... – begna112 Apr 05 '11 at 08:30
@Colby just something that allows you to run PHP files in general. A web-server with php interpreter installed. – Your Common Sense Apr 05 '11 at 10:13

score 1 · Answer 2 · answered Apr 03 '11 at 16:30

1

The PHP isn't being parsed, presumably because the necessary module/content handler isn't set up within your web server.

answered Apr 03 '11 at 16:30

John Parker

54,048
11
129
129

score 0 · Answer 3 · answered Apr 03 '11 at 16:30

0

It's not directly related to the topic but you might want to cast the value of the GET parameter as an integer before reusing it in a query to prevent basic SQL injection

$id = intval( $_GET['id'] );

answered Apr 03 '11 at 16:30

Th. Ma.

9,432
5
31
46

PHP link to template page with database content

3 Answers3