php script for variables attached to url

[Peter2]

Hi;
I use the $_GET to get the values of variables attached to url like this:

http://www.abc.com/mypage.php?var1=abc

in the mypage.php, I use $var1=$_GET['var1'];

But it will give an error message when there is no variable attached to the url like:

http://www.abc.com/mypage.php

the message is

Notice: Undefined index: var1 in ... www\mypage.php on line 2

I want the mypage.php to be able to handle both cases smoothly.

How can I do that?

Your help is highly appreciated.

Peter

 

[Crusty]

if (isset($_GET['var1'])) {
$var1 = $_GET['var1'];
}
else {
$var1 = "Error";
}

 

[reverend boltron]

You're on abc.com??? That's a pretty intense domain name. You should sell it and become a millionaire!

Maybe try something like...
if(isset($_GET['var1'])==1) { $var1=$_GET['var1']}


or you can do it like..
if(isset($_GET['var1'])) { ... }

or you can try it like..
$var1 = isset($_GET['var1']) ? $_GET['var1'] : 'NULL';

Or some other value you might want to use to test if it has a value or not. Those are just three different flavors that I would use.
I personally like the last time, because I just think it's cool to program like that.

 

[George P Burdell]

Make sure you sanitize the input from $_GET before you use it.

 

[Hyperblaze]

I'd go for the following.

if (isset($_GET['var1']) && $_GET['var1'] != NULL) {
$var1 = mysql_real_escape_string($_GET['var1']);
}

the only real difference I have with the other posts is that I sanitize the get variables in case someone tries to use a sql injection attack.

If you were to plug in the $var1 directly into a sql statement, you'd take a risk not sanitizing it.

 

[jjones]

Originally posted by: Hyperblaze
I'd go for the following.

if (isset($_GET['var1']) && $_GET['var1'] != NULL) {
$var1 = mysql_real_escape_string($_GET['var1']);
}

the only real difference I have with the other posts is that I sanitize the get variables in case someone tries to use a sql injection attack.

If you were to plug in the $var1 directly into a sql statement, you'd take a risk not sanitizing it.

Prepared statements FTW, but you should also qualify $_GET because you don't want garbage either. And I usually go with a !empty rather than !NULL as !empty checks for zero values and false as well.

Edit: I guess I should put an example up for the OP. Pretty much similar to Hyperblaze:

if (isset($_GET['var1']) && !empty($_GET['var1'])) {

// Here you'll want to do some qualifying for $_GET

$var1 = (int) $_GET['var1']; // if you expect an integer

$array = array('value1', 'value2', 'value3'); // an array used to check possible expected $_GET values

(in_array($_GET[$var1], $array)) ? $var1 = $_GET['var1'] : $var1 = false;

}

There's lots of checking you can do, depending upon what you're expecting from the GET variable. Once you've weeded out the garbage, you can then use the mysql_real_escape_string function on it before sending it to the DB, or use prepared statements.

 

[Peter2]

Than you all for very nice help. I followed your suggestion, and my code works now.
Thanks again.

Peter