PHP Query Results as Links

libra02

Hi

Just wondering if anyone could give me a bit of advice.

I have a website for products. So I have about 8 product category's. So using php links with paramters each category is a link and when pressed it returns all the products in the category.

However what I want is for each of the results returned to be a link so I can produce a page for each product with more detailed info, ability for customers to leave reviews.

Howver I tried using <a href around the query results but to no avail so can anyone help me with this. Thanks

The code I have is as follows

[PHP]
<?
mysql_connect("localhost", "root", "") or die("Could not connect : " . mysql_error());

mysql_select_db("warehouse")or die("Could not select database");


$catquery= "select name from products where category_id = '$_GET[category_id]'";

$catresult = mysql_query($catquery) or die("Query Error".mysql_error());

print"
<table border = '0' cellspacing = '4' >

<tr>
<th><i>Name</i></th>

</tr>";


while($record = mysql_fetch_array($genreresult, MYSQL_ASSOC)){

print
"
<tr>
<td>".$record."</td>

</tr>";
}
print"</table>";

[/PHP]

conor.hogan.2

What does "$record" give? (assuming you have a column called url) if it gives a link putting it in a href will work.

You could wrap the whole result text in a href and just have the link attr go to the $record url, either way.

Basically print out things while you are developing to see whats what especially in languages like PHP which are dynamic and fast to debug like this in.

fcrossen

You mean something like:
[PHP]
print "<tr>
<td><a href=\"product.php?id=" . $record . "\"> ".$record."</td>
</tr>";
[/PHP]

In product.php check $_GET and query the BD accordingly.

Also, watch out for passing $_GET parameters directly to SQL queries. You are susceptible to injection. Read up on sanitising variables.

libra02

fcrossen wrote: »

You mean something like:
[PHP]
print "<tr>
<td><a href=\"product.php?id=" . $record . "\"> ".$record."</td>
</tr>";
[/PHP]In product.php check $_GET and query the BD accordingly.

Also, watch out for passing $_GET parameters directly to SQL queries. You are susceptible to injection. Read up on sanitising variables.

Yes basicallly want I want is the name of the products, the query results, to be printed out in a table format as links. Then for each of these products I can link them to individual pages which give a more detailed description, etc that data of which I can pull from d/b.

So for each product I would create a need page instead of juts useing one page and refresh it with new data.

As I said the above code gives me the list of products as plain text but want to change them into links.

Thanks once I get this working I am reading up on preventing code injection, as not sure how to do links with parameters with the $_POST variable,not sure if it is even possible.

The Corinthian

libra02 wrote: »

Yes basicallly want I want is the name of the products, the query results, to be printed out in a table format as links. Then for each of these products I can link them to individual pages which give a more detailed description, etc that data of which I can pull from d/b.

So for each product I would create a need page instead of juts useing one page and refresh it with new data.

As I said the above code gives me the list of products as plain text but want to change them into links.

Then you turn them into HTML links, imbedded in table rows as has been suggested. These links would then go to a separate script that would take in the product ID, query the products table to pull back the full details for that single product:
[PHP]$a_Product = "select * from products where product_id = ". isset($_GET) ? (int) $_GET : 0;[/PHP]
Of course, it depends on what the fields in the products table are and what they're called, because so far we've only seen the table name and two field names, in your example. How the products data is stored is important because some of it may be in the form of indexes linked to another table (such as category_id).

Thanks once I get this working I am reading up on preventing code injection, as not sure how to do links with parameters with the $_POST variable,not sure if it is even possible.

Using a HTTP GET variable is fine. The main security area where this might be an issue is in the case of something such as inputting a password or credit card number, because then it is more easily logged on the server or browser history, which naturally can lead to issues.

You'll note that I added a little piece of code to parse the id variable above. I've used a shorthand method of doing this - a possibly easier and more verbose way of writing that would be:
[PHP]if (isset($_GET) {
$i_ID = (int) $_GET;
} else {
$i_ID = 0;
}
$a_Product = "select * from products where product_id = ".$i_ID;[/PHP]
This forces the product ID into an integer value; if the variable exists it attempts to parse it into an integer (and PHP will return zero if it cannot), and if it does not exist it simply returns zero. So at worst the script will look for a (non-existent) product of ID of zero and malicious code is blocked.

Alternatively the PHP function addslashes can also be used to intercept a SQL injection attack, or this can even be automatically set at a server level.

libra02

The Corinthian wrote: »

Then you turn them into HTML links, imbedded in table rows as has been suggested. These links would then go to a separate script that would take in the product ID, query the products table to pull back the full details for that single product:
[PHP]$a_Product = "select * from products where product_id = ". isset($_GET) ? (int) $_GET : 0;[/PHP]Of course, it depends on what the fields in the products table are and what they're called, because so far we've only seen the table name and two field names, in your example. How the products data is stored is important because some of it may be in the form of indexes linked to another table (such as category_id).

Using a HTTP GET variable is fine. The main security area where this might be an issue is in the case of something such as inputting a password or credit card number, because then it is more easily logged on the server or browser history, which naturally can lead to issues.

You'll note that I added a little piece of code to parse the id variable above. I've used a shorthand method of doing this - a possibly easier and more verbose way of writing that would be:
[PHP]if (isset($_GET) {
$i_ID = (int) $_GET;
} else {
$i_ID = 0;
}
$a_Product = "select * from products where product_id = ".$i_ID;[/PHP]This forces the product ID into an integer value; if the variable exists it attempts to parse it into an integer (and PHP will return zero if it cannot), and if it does not exist it simply returns zero. So at worst the script will look for a (non-existent) product of ID of zero and malicious code is blocked.

Alternatively the PHP function addslashes can also be used to intercept a SQL injection attack, or this can even be automatically set at a server level.

Thanks for the reply and the advice/code on SQL injection attack.

Much appreciated