RSS with php and variables in query

Question

I'm trying to build a simple RSS feed for multiple users but i am facing problems with mysql and the feed.

Ive done a showrss.php and an RSS.php I have followed a tutorial on this, and it works as should out of the box. But, im trying to build it, using var's on the mysql query populating the RSS.

so the showrss.php will do this :

require_once "XML/RSS.php";
$rss =& new XML_RSS("http://domain.com/RSS.php");
$rss->parse();
foreach ($rss->getItems() as $item) {
  echo "<li><a href=\"" . $item['link'] . "\">" . $item['title'] . 
"</a></li>\n";
}

Calling up the RSS.php file. The only thing wrong with the RSS.php is the mysql query. IT simply wont work with variables in the query, and im wondering if any of you guys could point me in the right direction.

This works :

$query = "select * from article where full_name = 'myname' limit 15";

this does'nt work :

$full_navn = $_SESSION['full_name'];
$query = "select * from article where full_name = '".$full_navn."' limit 15";

However, loading the RSS.php straight in the browser with the variable does work. Any ideas on how to get my variable into rss.php when viewing it through showrss.php ?

Greatly appreciate any input.

Answer 1

Pass your variable via $_GET to the RSS feed and avoid any possible missing session variable.

Your showrss.php file would be something like this for a user with the name of flamingcarrot:

$rss =& new XML_RSS("http://domain.com/RSS.php?fullname=flamingcarrot");

Then your RSS.php file would be something along the lines of:

$full_navn = $_GET['full_name'];
$query = "select * from article where full_name = '".$full_navn."' limit 15";

If you haven't already, and since it's going to be fiddadling with your SQL statements, bone up some on avoiding some SQL injection attacks with how to properly clean up that SQL query before you actually run it.