PHP Forum

**amphtech** · 03-27-2009, 08:06 PM

I have coded a php and mysql cms, the pages are loaded by

Code:

WHERE id=".$_GET['id']

It works great, but i would like to change it so the urlid is used to select a page so i changed it to

Code:

WHERE urlid=".$_GET['id']

. The page doesn't load due to the selector is meant to wrapped it a single quote.
Eg: When i go to view a page i got main.php?id=home but it doesnt work.
I tryed main.php?id='home' and it works fine.

Code:

http://www.w3schools.com/Sql/sql_where.asp

Is the correct way to do it.

Basicly all im trying to do is wrap the variable $_GET['id'] in single quotes.
I allready tryed

Code:

WHERE urlid=".'.$_GET['id'].';

but it don't work.

If you know how to wrap the variable in single quotes could you please help me out.

Thanks,
Wade

**NullPointer** · 03-27-2009, 08:10 PM

I know of two ways.
One:

Code:

'SELECT * FROM table WHERE urlid=\'' . $_GET['id'] . '\'';

Two:
Use PDO (http://us2.php.net/pdo).

**amphtech** · 03-27-2009, 10:05 PM

Thanks so much worked like a charm.
Thanks,
Wade

**tripy** · 08:09 AM

Just to explain to you, the problem was the datatypes of your db columns.

id is referenced as an integer (or a variant: bigint, smallint) and can only contain integer numbers.
urlid is a varchar field.

A numeric field is referenced as is, without quotes

Code:

select * from tableX where intField=5;

If you want to look up a varchar value, you have to enclose the term into single quotes.

Code:

select * from tableX where strField='something';

If you try to make a query on an integer field with a varchar value, then the db will try to implicitly cast your varchar in an integer value

Code:

 select * from tableX where intField='5';

It works, but requires a little bit more work for the db.

But, the db won't cast a integer to varchar implicitely, so, when you do

Code:

 select * from tableX where strField=5;

the db raises an error because you try to compare a string value with an integer value.
What you should have written was

Code:

 select * from tableX where strField='5';

Thus your error.

**amphtech** · 03-29-2009, 12:02 AM

Thanks,
Tripy for explaining my error

**imayes** · 03-29-2009, 04:13 PM

On a security note, this opens you up to a SQL Injection attack. Here is an article that explains this further and has a method for prevention.

**amphtech** · 01:12 AM

So the first one example NullPointer posted will open it up to enable SQL Injection? If so how would I fix it?

**NullPointer** · 03-30-2009, 01:15 AM

Yes. User input should be validated and sanitized before use in an sql query. I forgot to mention that in my earlier post. You'll want to make sure that $_GET['id'] meets any constraints on IDs (string length, valid characters, etc). Also use mysql_real_escape string to escape special characters (http://us2.php.net/function.mysql-real-escape-string).