1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to integrate your HTML template in the Dynamic PHP _GET content from SQL script?

Discussion in 'PHP' started by eritrea1, Jun 24, 2012.

  1. #1
    Hi Everyone.
    I have this script:
    
    <?php
    if(isset($_GET['p']) && !empty($_GET['p'])){
     $p = $_GET['p'];
     //please put mysql queries and most of the code dealing with mysql in a separate page unlike this one
     $query = "SELECT * FROM `articles` WHERE `id`='$p' ";
     if (@$mysql_query = mysql_query($query)){
      if (mysql_num_rows($mysql_query)==1){
       $content = mysql_result($mysql_query, 0, 'body');
      }
     }
    }else{
     $p=1;
    }
    <a href="id.php?p=66"> id </a></br>
    ?>
    
    Code (markup):
    Which, it does it draw contents from sql like table id 66 and show it on a black page, and i want my html to integrate it. So, the result will be the html layout plus, the php dynamic page.


    Thanks in advance.
     
    eritrea1, Jun 24, 2012 IP
  2. TrafficCake

    TrafficCake Greenhorn

    Messages:
    16
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    13
    #2
    I'm going to stop you right now before you go any further. As your code is at the moment it can be abused and your SQL can be hijacked using an SQL injection. Ideally you need to be using something like mysqli or PDO - but if you can't use them at least escape your get query. In terms of adding to HTML - you have a couple of ways of doing so; but in practice the templates have to renamed to .php and then the code can be dropped in. Not ideal; but it would work. Else you can use something like jQuery to load the content in via an ajax request.

    But do not forget to escape!

    $p = mysql_real_escape_string($_GET['p']);
    PHP:
     
    TrafficCake, Jun 24, 2012 IP
  3. eritrea1

    eritrea1 Active Member

    Messages:
    182
    Likes Received:
    9
    Best Answers:
    2
    Trophy Points:
    70
    #3
    Thanks but, why would i need to use the mysql_real_escape_string function, as there is nothing being submitted into sql. It is just a get function, with no forms! How can anyone use sql injection if i had that script on my page.
     
    eritrea1, Jun 25, 2012 IP
  4. shubhamm

    shubhamm Member

    Messages:
    37
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    41
    #4
    @Offtopic
    There is nothing inserting but submitting people can use get Variable to Inject like

    value.php?p=66' ..

    People like me track Request using Tamper data so Ajax Request or anything like got tracked and we can Inject

    @Topic

    i don't understand the whole question you want to append html & mysql Result ?
     
    shubhamm, Jun 25, 2012 IP
  5. Vooler

    Vooler Well-Known Member

    Messages:
    1,146
    Likes Received:
    64
    Best Answers:
    4
    Trophy Points:
    150
    #5
    First, get secured
    
    $p = intval($_GET['p']); # As id of your article would probably be auto_increment and an integer field
    
    PHP:
    Secondly, your question is not clear:

    regards
     
    Vooler, Jun 25, 2012 IP
  6. eritrea1

    eritrea1 Active Member

    Messages:
    182
    Likes Received:
    9
    Best Answers:
    2
    Trophy Points:
    70
    #6
    Thanks, I still do not understand when no one is submitting a malicious script into a web form can still manage to perform SQL injection by clicking links only, on a page that does not have a single form in it.

    However, at the moment let me clarify my original question.

    For instance, If you were to copy and paste the code i provided above, and clicked on the link i have provided at the footer that is like this:
     [LEFT][COLOR=#111111]<a href="id.php?p=66"> id </a>
    Code (markup):
    [/COLOR][/LEFT]
    You would see that, it only displays texts stored in a table called ' Articles ' which is fine, BUT in a completely white page, WITHOUT the page layouts, while this code itself rests inside an a file called index.php which is customized by CSS It has a Logo, footer, Background-images.... But, it does not display all of these, it just displays the result only on a completely white page. So, I need help to display all together.



    Thanks Guys.
    I hope this cleared out the confusion.
     
    eritrea1, Jun 25, 2012 IP
  7. Vooler

    Vooler Well-Known Member

    Messages:
    1,146
    Likes Received:
    64
    Best Answers:
    4
    Trophy Points:
    150
    #7
    You might have put output buffering on somwhere, check your code. If not an error in syntax then probably some other issue. Try turning errors ON in your PHP ini file.
    Other cause may be you are trying to suppress errors by using @ sign, and some serious error has occured which terminated the execution but not has output any error at all.

    Now, if you want one to find error, please post source, or if you are willing to learn how to separate View, the Logic, and the Model then try learning MVC concepts. I have little engine for beginners (my students) that let's you separate markup and write code separately, PM me I can supply that free.

    regards
     
    Vooler, Jun 25, 2012 IP
  8. shubhamm

    shubhamm Member

    Messages:
    37
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    41
    #8
    i think the prob. is how you are inserting your HTML Code use it after php tags like
    
    <html>
    <body>
    <?php
    //content of Mysql
    ?>
    <html>
    <body>
    Code (markup):
    & also i have used your code like this

    <?php
    if(isset($_GET['p']) && !empty($_GET['p'])){
     $p = $_GET['p'];
    echo "Content";
    }else{
     $p=1;
    }
    echo '<a href="Check.php?p=66"> id </a></br>';
    ?>
    Code (markup):
    i think its the same way & its working (I am just guessing i don;t know how you printing $content and the html code)

    Try @Vooler Solution or Give atleast some more code in which you are printing html and PHP BOTH
     
    shubhamm, Jun 25, 2012 IP