Hi Everyone. I have this script: <?php if(isset($_GET['p']) && !empty($_GET['p'])){ $p = $_GET['p']; //please put mysql queries and most of the code dealing with mysql in a separate page unlike this one $query = "SELECT * FROM `articles` WHERE `id`='$p' "; if (@$mysql_query = mysql_query($query)){ if (mysql_num_rows($mysql_query)==1){ $content = mysql_result($mysql_query, 0, 'body'); } } }else{ $p=1; } <a href="id.php?p=66"> id </a></br> ?> Code (markup): Which, it does it draw contents from sql like table id 66 and show it on a black page, and i want my html to integrate it. So, the result will be the html layout plus, the php dynamic page. Thanks in advance.
I'm going to stop you right now before you go any further. As your code is at the moment it can be abused and your SQL can be hijacked using an SQL injection. Ideally you need to be using something like mysqli or PDO - but if you can't use them at least escape your get query. In terms of adding to HTML - you have a couple of ways of doing so; but in practice the templates have to renamed to .php and then the code can be dropped in. Not ideal; but it would work. Else you can use something like jQuery to load the content in via an ajax request. But do not forget to escape! $p = mysql_real_escape_string($_GET['p']); PHP:
Thanks but, why would i need to use the mysql_real_escape_string function, as there is nothing being submitted into sql. It is just a get function, with no forms! How can anyone use sql injection if i had that script on my page.
@Offtopic There is nothing inserting but submitting people can use get Variable to Inject like value.php?p=66' .. People like me track Request using Tamper data so Ajax Request or anything like got tracked and we can Inject @Topic i don't understand the whole question you want to append html & mysql Result ?
First, get secured $p = intval($_GET['p']); # As id of your article would probably be auto_increment and an integer field PHP: Secondly, your question is not clear: regards
Thanks, I still do not understand when no one is submitting a malicious script into a web form can still manage to perform SQL injection by clicking links only, on a page that does not have a single form in it. However, at the moment let me clarify my original question. For instance, If you were to copy and paste the code i provided above, and clicked on the link i have provided at the footer that is like this: [LEFT][COLOR=#111111]<a href="id.php?p=66"> id </a> Code (markup): [/COLOR][/LEFT] You would see that, it only displays texts stored in a table called ' Articles ' which is fine, BUT in a completely white page, WITHOUT the page layouts, while this code itself rests inside an a file called index.php which is customized by CSS It has a Logo, footer, Background-images.... But, it does not display all of these, it just displays the result only on a completely white page. So, I need help to display all together. Thanks Guys. I hope this cleared out the confusion.
You might have put output buffering on somwhere, check your code. If not an error in syntax then probably some other issue. Try turning errors ON in your PHP ini file. Other cause may be you are trying to suppress errors by using @ sign, and some serious error has occured which terminated the execution but not has output any error at all. Now, if you want one to find error, please post source, or if you are willing to learn how to separate View, the Logic, and the Model then try learning MVC concepts. I have little engine for beginners (my students) that let's you separate markup and write code separately, PM me I can supply that free. regards
i think the prob. is how you are inserting your HTML Code use it after php tags like <html> <body> <?php //content of Mysql ?> <html> <body> Code (markup): & also i have used your code like this <?php if(isset($_GET['p']) && !empty($_GET['p'])){ $p = $_GET['p']; echo "Content"; }else{ $p=1; } echo '<a href="Check.php?p=66"> id </a></br>'; ?> Code (markup): i think its the same way & its working (I am just guessing i don;t know how you printing $content and the html code) Try @Vooler Solution or Give atleast some more code in which you are printing html and PHP BOTH