MYSQL/PHP - parsing URL

[bbloqx]

Hello All,

This is my very first post and my very first attempt at coding (as I recently took up trying to learn php/mysql).

I'm trying to create a "printer friendly version" of my dynamic web pages.

My URLs typically look like this:

http://www.domain.com/dir/?act=article&id=9

I'm trying to strip everything except for the actual id number (after the second =)

Heres my code so far:

<?PHP
$db_name = "database";
$link = mysql_connect("localhost", "user", "passwd") or die("Could not connect to server!");
?>

<?PHP
$articlenum = trim or parse url to id number after second =;
if ($articlenum != '') {
$query = "SELECT id, title, text FROM articles WHERE (id " . $articlenum . ") ";
$select_db = mysql_select_db($db_name, $link);
$results = mysql_query($query, $link) or die("Could not complete database query");
$num = mysql_num_rows($results);

if ($num != 0) {
while ($row = mysql_fetch_array($results)) {
echo "<b>$row[title]</b><br /><br />$row[text])<br />";
}
} else {
echo "<font color=red>Nothing to Print</font><br>";
}
}
?>


I read up on the parse_url function but I didn't understand how to use it here.

Thanks in advance. I look forward to learning possible solutions for this scenario.

 

[bbloqx]

I finally got it to work with the following:

<?php

$db_name = "database";
$link = mysql_connect("localhost", "user", "passwd") or die("Could not connect to server!");

$qresult = parse_url($HTTP_REFERER, PHP_URL_QUERY);

$getidnum = explode("act=article&id=",$qresult);

$idnum = $getidnum[1];

//echo $idnum;

$query = "SELECT title, text FROM article WHERE id = $idnum";

$select_db = mysql_select_db($db_name, $link);

$results = mysql_query($query, $link) or die("Could not complete database query");

$num = mysql_num_rows($results);

if ($num != 0) {
while ($row = mysql_fetch_array($results)) {
echo "<b>$row[title]</b><br /><br />$row[text]<br />";
}
} else {
echo "<font color=red>Nothing to Print</font><br>";
}

?>

But I have a final question.

If I have [[--Read More--]] on the text field, how would I remove it from the displayed results.

 

[sourceninja]

Umm if this is the URL of the page the person is viewing, why couldn't you just grab the value from $_GET[] ?

 

[bbloqx]

Not to sound stupid but I don't know how to answer you because I don't know what you mean... this is literally the first piece of code I put together (based on different Google searches)... I guess I used parse_url because that is what my first search was on.

 

[Ka0t1x]

that URL will give you the array of:

$_GET[act]='article'
$_GET[id]='9'

 

[sourceninja]

http://www.w3schools.com/php/php_get.asp

 

[Crusty]

Make sure you validate that the url actually contains an integer before you put it into your SQL query. Otherwise someone could craft a URL that will end up executing

SELECT title, text FROM article WHERE id = 1;DROP DATABASE mysql;

Always use parametrized queries when passing any input into an SQL query, this forces the SQL engine to properly escape the values so you aren't susceptible to the attack above.

 

[bbloqx]

Thanks for your input.

I couldn't get is_int to work so I tried it with is_numeric, which works.

Reason for script: When someone views one of my articles and clicks on the "Printer Friendly Version" link at the top of the article, it passes the URL of the article to this php page.

To avoid dropping mysql (or anything else) I gave the db user only SELECT priv.

Here is what I ended up with. Your thoughts please?

<?php
$db_name = "database";
$link = mysql_connect("localhost", "user", "passwd") or die("Could not connect to server!");
$qresult = parse_url($HTTP_REFERER, PHP_URL_QUERY);
$getidnum = explode("act=article&id=",$qresult);
$idnum = $getidnum[1];
if (is_numeric($idnum)) {
   $query = "SELECT title, text FROM article WHERE id = $idnum";
   $select_db = mysql_select_db($db_name, $link);
   $results = mysql_query($query, $link) or die("Error: Could not complete a printer friendly version of this article");
   $num = mysql_num_rows($results);
        if ($num == 1) {
           $row = mysql_fetch_array($results);
           echo "<html>
           <head>
           <link rel='stylesheet' type='text/css' href='style.css'>
           </head>
           <body><b>$row[title]</b><br /><br />$row[text]<br />
           </body>
           </html>";
           } else {
           echo "<font color=red>Error: Cannot Print Article</font><br>";
           }
} else {
echo "<font color=red>Error: Cannot Print Article</font>";
}
?>

Thanks to all who replied, I learned a lot more than I thought I would in the last 3 days

 

[Hyperblaze]

Whenever you are using variables in the URL (using $_GET, or $_REQUEST), I would highly recommend you use the function mysql_real_escape_string to sanitize the variable.

ie.

http://www.example.com/hello.php?id=5

$var = mysql_real_escape_string($_GET['id']);

it prevent mysql injection attacks.

 

[sourceninja]

I wouldn't even use mysql functions directly personally. I prefer to do everything via PDO. Much nicer language structure imho and with prepare/execute no worries about sql injection (well a lot less worries).

 

[Crusty]

I wouldn't even use mysql functions directly personally. I prefer to do everything via PDO. Much nicer language structure imho and with prepare/execute no worries about sql injection (well a lot less worries).

:thumbsup:

IMO you should be doing both. Maybe not the mysql functions directly, but it's always a good idea to sanitize and validate input for any problems(invalid characters, too short etc). Using prepared statements is always a good idea too for the reasons you mentioned.

It's perfectly plausible for input to pass sanity checking, but still be dangerous to the DB.