I am trying to get values from firstpage.php and send them to secondpage.php this is what i have figured out and i am wondering if it is the correct way to do it thanks.

Firstpage.php

PHP Code:

<?php
//Connects to the database.
$con = mysql_connect("localhost","blank","blank") or die (mysql_error());
$db = mysql_select_db("wsdatabase") or die (mysql_error());
// Selects username's from the user table.
$sql = "select username from users";
$query = mysql_query($sql);
// List's every name in the table with a link going to the secondpage.php.
while($row = mysql_fetch_array($query)) {
    printf("<a href='secondpage.php?username=%s'>%s</a>"."<br/>",$row['username'],$row['username']);
}
?>

secondpage.php

PHP Code:

<?php
// Grabs the username with the get method.
if(isset($_GET['username'])) {
    $username = $_GET['username'];
}
// Connects to the database.
$con = mysql_connect("localhost","blank","blank") or die (mysql_error());
$db = mysql_select_db("wsdatabase") or die (mysql_error());
// Selects everything from the database.
$sql = "select * from users where username = '$username' ";
$query = mysql_query($sql);
// Prints everything out from the database.
while($row = mysql_fetch_array($query)) {
    echo "<b>".$row['title']."</b>";
    echo "<br/>";
    echo "<b>".$row['username']."</b>";
    echo "<br/>";
    echo "<b>".$row['email']."</b>";
}
?>

I don't have an answer for your main question but here's one tip: Use mysql_real_escape_string when putting data from $_GET into a database query.

PHP Code:

 
while($row = mysql_fetch_array($query)) {
 
$links .= "<a href=\"secondpage.php?username=".$row['username']." \">".$row['username']."</a><br />\n";
 
}
 
echo $links; 


davidj ~~
What is the difference other than the way it is written between the way i wrote it and the way you wrote it? Just wondering?...

and my main question is, is that the correct way to use the get method?

It seems to be the correct way to do it to me. I would recommend using mysql_fetch_assoc if you are going to access the values by field name though since it cuts down on the data transfer (cutting your mysql result in half since the numerically indexed arrays become unnecessary).

Quote:

Originally Posted by Knight13

davidj ~~
What is the difference other than the way it is written between the way i wrote it and the way you wrote it? Just wondering?...

and my main question is, is that the correct way to use the get method?

I believe this is deemed the W3C Compliant way of writing HTML.

<div id="this"> rather than <div id='this'>

EdB ~
I was wondering what was different php wise to the way i wrote it and the way davidj wrote it, I just want to know if davidj's way is the correct way or if it is just another way of writing the same php code.

i just simplified it a bit

Oh ok then i just wanted to make sure.

Also just to make it clear to me, is the way i used the get method to get the user information the way it should be done or am i doing something wrong.

I am having a problem with the above code and i am wondering if their is a solution?

my problem is when i send the information from the firstpage.php to the secondpage.php everything works but if i go into the url and take out a name that is in the database like michael and replace it with a name like blah wich is not in the database it will send me to the secondpage.php with no title or email just the name i typed into the url.

is their anyway to make this not possible to do?

If someone could tell me what i could type into google to get the information i am looking for that would also help me out because i do not know what it would be called.

Quote:

Originally Posted by Knight13

I am having a problem with the above code and i am wondering if their is a solution?

my problem is when i send the information from the firstpage.php to the secondpage.php everything works but if i go into the url and take out a name that is in the database like michael and replace it with a name like blah wich is not in the database it will send me to the secondpage.php with no title or email just the name i typed into the url.

is their anyway to make this not possible to do?

PHP Code:

<?php
// Grabs the username with the get method.
if(isset($_GET['username'])) {
    $username = $_GET['username'];
}
// Connects to the database.
$con = mysql_connect("localhost","blank","blank") or die (mysql_error());
$db = mysql_select_db("wsdatabase") or die (mysql_error());
// Selects everything from the database.
$sql = "select * from users where username = '$username' ";
$query = mysql_query($sql);
// Prints everything out from the database.
if ($row['username'] !=""){
while($row = mysql_fetch_array($query)) {
    echo "<b>".$row['title']."</b>";
    echo "<br/>";
    echo "<b>".$row['username']."</b>";
    echo "<br/>";
    echo "<b>".$row['email']."</b>";
}
}else{
echo ('Whoops that person doesnt exist in the database, hit back!');
}
?>

This is a stab in the dark...
Check to see if any information is pulled back from the database?

I tried it the way you said in the post but when i would click on a valid name it would show the error code, so i messed with the script until i got this, is this a good way to write this script or no?

PHP Code:

<?php
// Grabs the username with the get method.
if(isset($_GET['username'])) {
    $username = $_GET['username'];
}
// Connects to the database.
$con = mysql_connect("localhost","blank","blank") or die (mysql_error());
$db = mysql_select_db("wsdatabase") or die (mysql_error());
// Selects everything from the database.
$sql = "select * from users where username = '$username' ";
$query = mysql_query($sql);
// Prints everything out from the database.
if($row = mysql_fetch_assoc($query)) {
    echo "<b>".$row['title']."</b>";
    echo "<br/>";
    echo "<b>".$row['username']."</b>";
    echo "<br/>";
    echo "<b>".$row['email']."</b>";
}else{
echo header("location: blank.php");
}
?>

I would still like to know if this code is written correctly and if this is the way to use the $_get method correctly

The most obvious mistake I see is that you let your code wide open to sql injection.
Imagine that someone give as a user: "michael';drop table users;select '".

The resulting query sent to the db would be:

Code:

select * from users where username = 'michael';drop table users;select ''

And this, will delete your table and everything in it.

When you get datas from $_GET, $_POST or $_COOKIES (and of course, $_REQUEST that merge all the three in one) ALWAYS CHECK WHAT IS IN THERE

I use something like this:

PHP Code:

<?
/**
 *  Check if a string contains an sql operation keyword.
 *  Of it does, returns TRUE, else returns FALSE
 *  @param string: $par
 *  @return boolean
 */
function sqlInjection($par){
  $ret=FALSE;
  $aryRestricted =array("select","update","insert","drop","delete","truncate","alter");
  
  foreach($aryRestricted as $k=>$v){
    if(stripos($par,$v)!==FALSE){
      return TRUE;
    }
  }
  
  return $ret;
}

and I use it with

PHP Code:

if(isset($_GET['username'])) {
  if(sqlInjection($_GET['username'])===FALSE){
     $username = $_GET['username'];
  }
  else{
    //we have an sql injection attempt, deal with it like you want to...
  }
} 


which can even be reduced (with the ternary operator) to

PHP Code:

$username=isset($_GET['username'] && sqlInjection($_GET['username'])===FALSE)?$_GET['username']):NULL;
if($username===NULL){
  //no username given, or sql injection detected, handle it here
} 


For the output part, you could simplify it too, with the <<< operator:

PHP Code:

if($row = mysql_fetch_assoc($query)) {
  echo <<<html
<b>{$row['title']}</b>
<br/>
<b>{$row['username']}</b>
<br/>
<b>{$row['email']}</b>
<br/>
html;
} 


It takes everything between "<<<keyword" up to "keyword;" as a string.
You can type an complete HTML block in there, rather than numerous echo.
The only things to take care of, are that you cannot call a function from inside, and that the end delimiter (html; must be on the column 0.

Thanks tripy that is what i wanted to know.