Hi, I'm trying to build a web application similar to Froogle.com, where it has the ability to click a link to sort results in a certain way. Since there is no form used, only links, the parameters are passed in the URL using the GET method. Then, those variables are used in the SQL statement construction to get the relevent results. I know how to do all of this. My question is: if I have multiple categories, what is the best way to get the parameters I need? For example, if you look at Froogle.com, they use a "page.php?lnk=brandsuggest" format where the "lnk" variable is the type of sorting being done. Would a simple IF statement work here? For example: IF(lnk=='brandsuggest'){ $GET_['model']; } IF(lnk=='pricesuggest'){ $GET_['price']; } etc... Or is there a better way to do it? This seems a little primative. Sorry if this is an easy question too - I'm new to PHP. Thanks for your help in advance!
if ($_GET['lnk'] == "pricesuggest") { $SQL = "SELECT etc. ORDER BY brand ASC"; } elseif //etc. PHP: In your example you are initializing a GET variable with nothing as its value. I'd probably have two parameters... One for the column and one for whether to sort ascending or descending. Or remember what is is already so you can assume one was or the other.
Simple //Checks if the link is true, if not make it true if ($_GET["sortby"]){ $sortby = $_GET["sort_by"]; }else{ $sortby = "Name"; //Your Default } $query = "SELECT * FROM table ORDER BY ' " . $sortby . " ' "; Hope this helps
Ok, thanks guys, got that part working with IF statements. One other thing I ran into was how to insert variables into a query string, and get the desired results there. Here's an example of one of the IF situations (price1 and price2 are float variables passed in the URL): if($linktype=='price'){ $price1 = $_GET['price1']; $price2 = $_GET['price2']; $query = "SELECT id, rating, company, image, description, url, type, cost, return, trial, featured FROM partners WHERE price BETWEEN '$price1' AND '$price2'"; $result = mysql_query($query); // Build Table while($row = mysql_fetch_row($result)){ $id = $row[0]; $rating = $row[1]; $company = $row[2]; $image = $row[3]; $description = $row[4]; $url = $row[5]; $type = $row[6]; $cost = $row[7]; $return = $row[8]; $trial = $row[9]; $featured = $row[10]; echo "<tr valign=top><td><p align=center>$rating</p></td><td><a href=$url><img src=$image alt=$company border=0><br>$company</a></td><td>$description</td><td>$type</td><td>$$cost</td><td>$return%</td><td>$trial</td></tr>"; } } PHP: And when that runs, I get this error: That line is the "while($row = mysql_fetch_row($result)){". So, I think the problem is with the MySQL query construction. Is the BETWEEN and AND the correct way of doing this, or is there a different format? I couldn't find any website with a nice list of all of the commands, so if anyone can recommend one of those, that would be great too! Thanks for the help!
Please... DO NOT EVER stick a $_GET straight into your SQL without sanitizing it first. I can delete your database in 2 seconds...
That's a good point... never thought of that. Thanks for pointing it out. I'll add an IF statement that checks to see if the variable is a valid entry, and if not, have it say "invalid" instead of putting it in the SQL statement. This would prevent any hacking, correct? And then my other question still stands... how are you supposed to put variables into SQL statements? And is the BETWEEN and AND structure correct there? Again, thanks for the help!
That's one way of doing it. http://www.google.co.uk/search?hl=en&q=php+sanitize+get+string+sql+injection&btnG=Search&meta= Use mysql_real_escape_string and related functions.
Figured it out - it turns out I had the wrong field name in the SQL table... Here's what I ended with for the security issue mentioned above for future reference to this thread. If there's any problems with it, let me know. if($linktype=='price'){ $price1 = $_GET['price1']; $price2 = $_GET['price2']; if(get_magic_quotes_gpc()) { $price1 = stripslashes($price1); $price2 = stripslashes($price2); } else { $price1 = mysql_real_escape_string($price1); $price2 = mysql_real_escape_string($price2); } $query = "SELECT id, rating, company, image, description, url, type, cost, return, trial, featured FROM partners WHERE cost BETWEEN '$price1' AND '$price2'"; $result = mysql_query($query); // Build Table while($row = mysql_fetch_row($result)){ $id = $row[0]; $rating = $row[1]; $company = $row[2]; $image = $row[3]; $description = $row[4]; $url = $row[5]; $type = $row[6]; $cost = $row[7]; $return = $row[8]; $trial = $row[9]; $featured = $row[10]; echo "<tr valign=top><td><p align=center>$rating</p></td><td><a href=$url><img src=$image alt=$company border=0><br>$company</a></td><td>$description</td><td>$type</td><td>$$cost</td><td>$return%</td><td>$trial</td></tr>"; } } PHP:
Please give me a few detailes about this security thing and please tell me how to code it. I am about to make a huge database and i wouldn't like it very much if someone deleted it. I would very much apreciate your reaply. Thanks!