How to Use $_GET in mysql_query() funcion?

[tradingjamie]

Hi All,

Ive got a page called user.php and when I link to there I get there by sending a URL variable called id.... so basically like this...

user.php?id=6
user.php?id=3 etc etc...

Then in my main code I have a line like this:

Code:

  <?php

$result = mysql_query("SELECT * FROM sp_table WHERE id=$_GET['id']");

while($row = mysql_fetch_array($result))
  {
  echo $row['name'];
  echo "<br />";
  }

?>

For some reason this doesnt work though (i.e. it doesnt display the 'name' field for the given 'id' field).

I know that the problem part of the code is the $result line because when I replace a plain number instead of the $_GET function it displays the 'name' field ok... i.e. this...:

Code:

$result = mysql_query("SELECT * FROM sp_table WHERE id='1'");

...would display the correct 'name' field.

Any ideas what is wrong with my $GET['id'] field?

Thanks for all your help!

[tradingjamie]

Ive just figured it out... yay!!!

I should have added the GET into a variable, and echo the variable, not the funcion...

i.e.

Code:

  $idvar = $_GET['id'];

hope this helps somebody else!

[BlaineSch]

I think if you load it directly into the mysql thing you just need to take out the ' character for it to work like this:

Code:

$result = mysql_query("SELECT * FROM sp_table WHERE id=$_GET[id]"); 


However you should make it look a bit nicer and filter GET data to prevent injection

Code:

$id = ereg_replace('[^0-9]', '', $_GET['id']);
$result = mysql_query("SELECT * FROM `sp_table` WHERE `id`=$id"); 


This filters out everything except numbers so that you cant get an injection.

[exile]

or you can use is_numeric() function... it's also good to check, if that id exists with mysql_num_rows()...

However you should make it look a bit nicer and filter GET data to prevent injection

Code:

$id = ereg_replace('[^0-9]', '', $_GET['id']);
$result = mysql_query("SELECT * FROM `sp_table` WHERE `id`=$id"); 


This filters out everything except numbers so that you cant get an injection.

[Orjan]

or, the built in mysql function for preventing injection

Code:

$result = mysql_query("SELECT * FROM `sp_table` WHERE `id`='".mysql_real_escape_string($_GET['id'])."'"); 


[exile]

mysql_real_escape_string() is imo in only-numeric values needless...

[Orjan]

Well, you can try is_numerical or similar methods first, and throw an error upon that, but the very best advice from me is to always enclose values within the sql statement with apostrophes (') and always escape them at some point.