FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » fetch items from a row
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
fetch items from a row [message #181287] Fri, 03 May 2013 15:55 Go to next message
richard is currently offline  richard   
Messages: 213
Registered: June 2013
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
How would I change the '42' value to a string value based upon the value
retrieved from using $_GET('number')?


<?php
$result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
if (!$result) {
echo 'Could not run query: ' . mysql_error();
exit;
}
$row = mysql_fetch_row($result);

echo $row[0]; // 42
echo $row[1]; // the email value
?>
Re: fetch items from a row [message #181288 is a reply to message #181287] Fri, 03 May 2013 16:18 Go to previous messageGo to next message
Salvatore is currently offline  Salvatore
Messages: 38
Registered: September 2012
Karma: 0
Member
add to buddy list
ignore all messages by this user
On 2013-05-03, richard <noreply(at)example(dot)com> wrote:
>
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
> [snip]

What do you mean by this? Do you want the value "42" cast as a string?

--
Blah blah bleh...
GCS/CM d(-)@>-- s+:- !a C++$ UBL++++$ L+$ W+++$ w M++ Y++ b++
Re: fetch items from a row [message #181289 is a reply to message #181288] Fri, 03 May 2013 16:49 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
In article <km162d$j1l$1(at)yojimbo(dot)hack>,
Salvatore <sal(at)yojimbo(dot)hack(dot)invalid> wrote:

> On 2013-05-03, richard <noreply(at)example(dot)com> wrote:
>>
>> How would I change the '42' value to a string value based upon the value
>> retrieved from using $_GET('number')?
>> [snip]
>
> What do you mean by this? Do you want the value "42" cast as a string?

More likely:

$result = mysql_query("SELECT id,email FROM people WHERE id = '" .
$_GET['number'] . "'");

--
Tim

"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Re: fetch items from a row [message #181290 is a reply to message #181287] Fri, 03 May 2013 16:47 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On Fri, 03 May 2013 15:55:58 -0400, richard wrote:

> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
>
> <?php $result = mysql_query("SELECT id,email FROM people WHERE id =
> '42'"); if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42 echo $row[1]; // the email value ?>

Rephrase the question so it makes some sort of sense.

$_GET is not a function, $_GET('number') is invalid syntax.

$_GET['number'] will return the string from the get request that was
prefixed with "(?|&)number= up to but not including the end of the
request or the next "&" whichever comes first.

If you're trying to use the string value as a numeric value in a query,
then you may not want to put quotes round it in the query string:

select * from table where column = '42'; // looks for a string
select * from table where column = 42; // looks for a number

As the value you get from the request is a string, and the sql command is
a string, you could just copy the string value across, or you could force
it to a number and back in the process, which might be slightly slower,
but would be a lot safer:

num = -1;
if (isset($_GET['number'])) num = intval($_GET['number'])
if ( num > 0 ) {
sql = "select * from table where column = {$num}";
}
else {
// handle invalid number here
}

But all of this presumes that your issue is that you are comparing a
string value with an integer field, and that's why you're not getting the
result you expect - however you really haven't presented enough
information about the problem - and if your issue is a mysql one, perhaps
you need to ask in a mysql group.

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: fetch items from a row [message #181291 is a reply to message #181287] Fri, 03 May 2013 17:00 Go to previous messageGo to next message
Richard Yates is currently offline  Richard Yates
Messages: 86
Registered: September 2013
Karma: 0
Member
add to buddy list
ignore all messages by this user
On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
wrote:

>
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?
>
>
> <?php
> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
> if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42
> echo $row[1]; // the email value
> ?>

Your question is a little confusing. It sounds like you are GETting an
integer and want to use it in the mysql query there the id is stored
as a string in the database.

$number = $_GET['number'];
$result = mysql_query("select id, email from people where id='$number'
";

But I also wonder why your id numbers in the database are stored as
strings and not as integer primary keys (which they seem to be).
Re: fetch items from a row [message #181292 is a reply to message #181291] Fri, 03 May 2013 17:21 Go to previous messageGo to next message
Scott Johnson is currently offline  Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 5/3/2013 2:00 PM, Richard Yates wrote:
> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
> wrote:
>
>>
>> How would I change the '42' value to a string value based upon the value
>> retrieved from using $_GET('number')?
>>
>>
>> <?php
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>> if (!$result) {
>> echo 'Could not run query: ' . mysql_error();
>> exit;
>> }
>> $row = mysql_fetch_row($result);
>>
>> echo $row[0]; // 42
>> echo $row[1]; // the email value
>> ?>
>
> Your question is a little confusing. It sounds like you are GETting an
> integer and want to use it in the mysql query there the id is stored
> as a string in the database.
>
> $number = $_GET['number'];
> $result = mysql_query("select id, email from people where id='$number'
> ";
>
> But I also wonder why your id numbers in the database are stored as
> strings and not as integer primary keys (which they seem to be).
>
>

I am no expert here but in my experience $_GET holds a string from the
URI query no matter the value.

And the MySQL results will return a string as well whether it is as an
integer or string.

I would double check that in the mysql ng.
Re: fetch items from a row [message #181293 is a reply to message #181291] Fri, 03 May 2013 17:38 Go to previous messageGo to next message
Lew Pitcher is currently offline  Lew Pitcher
Messages: 60
Registered: April 2013
Karma: 0
Member
add to buddy list
ignore all messages by this user
On Friday 03 May 2013 17:00, in comp.lang.php, richard(at)yatesguitar(dot)com
wrote:

> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
> wrote:
>
>>
>> How would I change the '42' value to a string value based upon the value
>> retrieved from using $_GET('number')?
>>
>>
>> <?php
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>> if (!$result) {
>> echo 'Could not run query: ' . mysql_error();
>> exit;
>> }
>> $row = mysql_fetch_row($result);
>>
>> echo $row[0]; // 42
>> echo $row[1]; // the email value
>> ?>
>
> Your question is a little confusing. It sounds like you are GETting an
> integer and want to use it in the mysql query there the id is stored
> as a string in the database.
>
> $number = $_GET['number'];
> $result = mysql_query("select id, email from people where id='$number'
> ";

Have you met little Bobby Tables (http://xkcd.com/327/) ?

The PHP documentation webpages have a slightly better suggestion for this
sort of query...

From http://www.php.net/manual/en/function.mysql-query.php
// Formulate Query
// This is the best way to perform an SQL query
// For more examples, see mysql_real_escape_string()
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",
mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));

// Perform Query
$result = mysql_query($query);


--
Lew Pitcher
"In Skills, We Trust"
Re: fetch items from a row [message #181294 is a reply to message #181293] Fri, 03 May 2013 18:15 Go to previous messageGo to next message
Richard Yates is currently offline  Richard Yates
Messages: 86
Registered: September 2013
Karma: 0
Member
add to buddy list
ignore all messages by this user
On Fri, 03 May 2013 17:38:08 -0400, Lew Pitcher
<lpitcher(at)teksavvy(dot)com> wrote:

> On Friday 03 May 2013 17:00, in comp.lang.php, richard(at)yatesguitar(dot)com
> wrote:
>
>> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
>> wrote:
>>
>>>
>>> How would I change the '42' value to a string value based upon the value
>>> retrieved from using $_GET('number')?
>>>
>>>
>>> <?php
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>>> if (!$result) {
>>> echo 'Could not run query: ' . mysql_error();
>>> exit;
>>> }
>>> $row = mysql_fetch_row($result);
>>>
>>> echo $row[0]; // 42
>>> echo $row[1]; // the email value
>>> ?>
>>
>> Your question is a little confusing. It sounds like you are GETting an
>> integer and want to use it in the mysql query there the id is stored
>> as a string in the database.
>>
>> $number = $_GET['number'];
>> $result = mysql_query("select id, email from people where id='$number'
>> ";
>
> Have you met little Bobby Tables (http://xkcd.com/327/) ?
>
> The PHP documentation webpages have a slightly better suggestion for this
> sort of query...
>
> From http://www.php.net/manual/en/function.mysql-query.php
> // Formulate Query
> // This is the best way to perform an SQL query
> // For more examples, see mysql_real_escape_string()
> $query = sprintf("SELECT firstname, lastname, address, age FROM friends
> WHERE firstname='%s' AND lastname='%s'",
> mysql_real_escape_string($firstname),
> mysql_real_escape_string($lastname));
>
> // Perform Query
> $result = mysql_query($query);

Yes, I know about BQ. And yes, certainly, if I were doing it, the
input would be validated, etc. But, the poster is clearly struggling
with the simplest elements of php/mysql and, to learn that part,
needed only the simplest answer to his question.
Re: fetch items from a row [message #181302 is a reply to message #181294] Sat, 04 May 2013 05:56 Go to previous messageGo to next message
SwissCheese is currently offline  SwissCheese
Messages: 17
Registered: December 2012
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
On 05/03/2013 06:15 PM, Richard Yates wrote:
> On Fri, 03 May 2013 17:38:08 -0400, Lew Pitcher
> <lpitcher(at)teksavvy(dot)com> wrote:
>
>> On Friday 03 May 2013 17:00, in comp.lang.php, richard(at)yatesguitar(dot)com
>> wrote:
>>
>>> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
>>> wrote:
>>>
>>>>
>>>> How would I change the '42' value to a string value based upon the value
>>>> retrieved from using $_GET('number')?
>>>>
>>>>
>>>> <?php
>>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>>>> if (!$result) {
>>>> echo 'Could not run query: ' . mysql_error();
>>>> exit;
>>>> }
>>>> $row = mysql_fetch_row($result);
>>>>
>>>> echo $row[0]; // 42
>>>> echo $row[1]; // the email value
>>>> ?>
>>>
>>> Your question is a little confusing. It sounds like you are GETting an
>>> integer and want to use it in the mysql query there the id is stored
>>> as a string in the database.
>>>
>>> $number = $_GET['number'];
>>> $result = mysql_query("select id, email from people where id='$number'
>>> ";
>>
>> Have you met little Bobby Tables (http://xkcd.com/327/) ?
>>
>> The PHP documentation webpages have a slightly better suggestion for this
>> sort of query...
>>
>> From http://www.php.net/manual/en/function.mysql-query.php
>> // Formulate Query
>> // This is the best way to perform an SQL query
>> // For more examples, see mysql_real_escape_string()
>> $query = sprintf("SELECT firstname, lastname, address, age FROM friends
>> WHERE firstname='%s' AND lastname='%s'",
>> mysql_real_escape_string($firstname),
>> mysql_real_escape_string($lastname));
>>
>> // Perform Query
>> $result = mysql_query($query);
>
> Yes, I know about BQ. And yes, certainly, if I were doing it, the
> input would be validated, etc. But, the poster is clearly struggling
> with the simplest elements of php/mysql and, to learn that part,
> needed only the simplest answer to his question.
>

Not only that but last time I checked, PHP/MySQL still doesn't allow
multi-statement queries.

--
Norman
Registered Linux user #461062
-Have you been to www.php.net yet?-
Re: fetch items from a row [message #181303 is a reply to message #181287] Sat, 04 May 2013 06:05 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 03/05/13 20:55, richard wrote:
> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?

$_GET['number'] IIRC...
>
> <?php
> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
> if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42
> echo $row[1]; // the email value
> ?>

$result = mysql_query("SELECT id,email FROM people WHERE id = '<?echo $_GET['number']?>'");

with usual caveats about SQL injection etc.

I tend to use - sprintf as in

$query=sprintf("SELECT id,email FROM people WHERE id = '%d'"
,$_GET['number'])

$result = mysql_query($query);

to make sure what's in there is only a decimal number.




-- Ineptocracy (in-ep-toc’-ra-cy) – a system of government where the
least capable to lead are elected by the least capable of producing, and
where the members of society least likely to sustain themselves or
succeed, are rewarded with goods and services paid for by the
confiscated wealth of a diminishing number of producers.
Re: fetch items from a row [message #181304 is a reply to message #181291] Sat, 04 May 2013 06:06 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 03/05/13 22:00, Richard Yates wrote:
> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
> wrote:
>
>> How would I change the '42' value to a string value based upon the value
>> retrieved from using $_GET('number')?
>>
>>
>> <?php
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>> if (!$result) {
>> echo 'Could not run query: ' . mysql_error();
>> exit;
>> }
>> $row = mysql_fetch_row($result);
>>
>> echo $row[0]; // 42
>> echo $row[1]; // the email value
>> ?>
> Your question is a little confusing. It sounds like you are GETting an
> integer and want to use it in the mysql query there the id is stored
> as a string in the database.
>
> $number = $_GET['number'];
> $result = mysql_query("select id, email from people where id='$number'
> ";
>
> But I also wonder why your id numbers in the database are stored as
> strings and not as integer primary keys (which they seem to be).
>
>
It makes no difference. SQL appears to work with either syntax on a
numeric field.


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
Re: fetch items from a row [message #181305 is a reply to message #181302] Sat, 04 May 2013 06:08 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 04/05/13 10:56, SwissCheese wrote:
> On 05/03/2013 06:15 PM, Richard Yates wrote:
>> On Fri, 03 May 2013 17:38:08 -0400, Lew Pitcher
>> <lpitcher(at)teksavvy(dot)com> wrote:
>>
>>> On Friday 03 May 2013 17:00, in comp.lang.php, richard(at)yatesguitar(dot)com
>>> wrote:
>>>
>>>> On Fri, 3 May 2013 15:55:58 -0400, richard <noreply(at)example(dot)com>
>>>> wrote:
>>>>
>>>> >
>>>> > How would I change the '42' value to a string value based upon the
>>>> > value
>>>> > retrieved from using $_GET('number')?
>>>> >
>>>> >
>>>> > <?php
>>>> > $result = mysql_query("SELECT id,email FROM people WHERE id = '42'");
>>>> > if (!$result) {
>>>> > echo 'Could not run query: ' . mysql_error();
>>>> > exit;
>>>> > }
>>>> > $row = mysql_fetch_row($result);
>>>> >
>>>> > echo $row[0]; // 42
>>>> > echo $row[1]; // the email value
>>>> > ?>
>>>>
>>>> Your question is a little confusing. It sounds like you are GETting an
>>>> integer and want to use it in the mysql query there the id is stored
>>>> as a string in the database.
>>>>
>>>> $number = $_GET['number'];
>>>> $result = mysql_query("select id, email from people where id='$number'
>>>> ";
>>>
>>> Have you met little Bobby Tables (http://xkcd.com/327/) ?
>>>
>>> The PHP documentation webpages have a slightly better suggestion for
>>> this
>>> sort of query...
>>>
>>> From http://www.php.net/manual/en/function.mysql-query.php
>>> // Formulate Query
>>> // This is the best way to perform an SQL query
>>> // For more examples, see mysql_real_escape_string()
>>> $query = sprintf("SELECT firstname, lastname, address, age FROM
>>> friends
>>> WHERE firstname='%s' AND lastname='%s'",
>>> mysql_real_escape_string($firstname),
>>> mysql_real_escape_string($lastname));
>>>
>>> // Perform Query
>>> $result = mysql_query($query);
>>
>> Yes, I know about BQ. And yes, certainly, if I were doing it, the
>> input would be validated, etc. But, the poster is clearly struggling
>> with the simplest elements of php/mysql and, to learn that part,
>> needed only the simplest answer to his question.
>>
>
> Not only that but last time I checked, PHP/MySQL still doesn't allow
> multi-statement queries.
>
well it certainly allows the above.


--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
Re: fetch items from a row [message #182438 is a reply to message #181289] Sun, 04 August 2013 13:06 Go to previous messageGo to next message
Mladen Gogala is currently offline  Mladen Gogala
Messages: 13
Registered: December 2010
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:

> More likely:
>
> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
> $_GET['number'] . "'");

And the code like that is the basis for all SQL injection attacks. It's
so frequent that even comic strips have been written about it:

http://xkcd.com/327/

If you have such code in the client facing application, prepare to meet
little Bobby Tables.


--
Mladen Gogala
The Oracle Whisperer
http://mgogala.byethost5.com
Re: fetch items from a row [message #182442 is a reply to message #182438] Sun, 04 August 2013 13:41 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
In article <pan(dot)2013(dot)08(dot)04(dot)17(dot)06(dot)01(at)gmail(dot)com>,
Mladen Gogala <gogala(dot)mladen(at)gmail(dot)com> wrote:

> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>
>> More likely:
>>
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>> $_GET['number'] . "'");
>
> And the code like that is the basis for all SQL injection attacks. It's
> so frequent that even comic strips have been written about it:
>
> http://xkcd.com/327/
>
> If you have such code in the client facing application, prepare to meet
> little Bobby Tables.

I didn't write the above.

--
Tim

"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Re: fetch items from a row [message #182450 is a reply to message #182438] Sun, 04 August 2013 17:27 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 04/08/13 18:06, Mladen Gogala wrote:
> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>
>> More likely:
>>
>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>> $_GET['number'] . "'");
> And the code like that is the basis for all SQL injection attacks. It's
> so frequent that even comic strips have been written about it:
>
> http://xkcd.com/327/
>
> If you have such code in the client facing application, prepare to meet
> little Bobby Tables.
>
>
avoided simply by :

$result = mysql_query(sprintf("SELECT id,email FROM people WHERE id = '%d'",
$_GET['number'] ));

Using sprintf not only makes everything to look reasonable at code
inspection level it self validates stuff that should be a number and
gurantees only a number.

Likewise either escape strings or hexify them.

It isn't rocket science.

--
Ineptocracy

(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
Re: fetch items from a row [message #182451 is a reply to message #182450] Sun, 04 August 2013 18:15 Go to previous messageGo to next message
Tim Streater is currently offline  Tim Streater
Messages: 328
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
In article <ktmgv5$bra$1(at)news(dot)albasani(dot)net>,
The Natural Philosopher <tnp(at)invalid(dot)invalid> wrote:

> On 04/08/13 18:06, Mladen Gogala wrote:
>> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>>
>>> More likely:
>>>
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>>> $_GET['number'] . "'");
>> And the code like that is the basis for all SQL injection attacks. It's
>> so frequent that even comic strips have been written about it:
>>
>> http://xkcd.com/327/
>>
>> If you have such code in the client facing application, prepare to meet
>> little Bobby Tables.
>>
>>
> avoided simply by :
>
> $result = mysql_query(sprintf("SELECT id,email FROM people WHERE id = '%d'",
> $_GET['number'] ));
>
> Using sprintf not only makes everything to look reasonable at code
> inspection level it self validates stuff that should be a number and
> gurantees only a number.
>
> Likewise either escape strings or hexify them.
>
> It isn't rocket science.

Oh yeah, it turns out I did write that. Well duh. Mr Gogala can't have
read the thread, otherwise he would have seen that the point was to find
out WTF richard was babbling about wrt strings. Problems resulting from
lack of code sanitisation are second order at most where he's concerned.

--
Tim

"That excessive bail ought not to be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted" -- Bill of Rights 1689
Re: fetch items from a row [message #182452 is a reply to message #181287] Sun, 04 August 2013 20:19 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On Fri, 03 May 2013 15:55:58 -0400, richard wrote:

> How would I change the '42' value to a string value based upon the value
> retrieved from using $_GET('number')?

$_GET isn't a function, it's an associative array.

If you're trying to read the "number" parameter of a get request, you use:

$_GET['number'];

or:

$_GET["number"];

The type of brackets is very important, although in this specific case,
the type of quote marks is less important than it is at other times.

> <?php $result = mysql_query("SELECT id,email FROM people WHERE id =
> '42'"); if (!$result) {
> echo 'Could not run query: ' . mysql_error();
> exit;
> }
> $row = mysql_fetch_row($result);
>
> echo $row[0]; // 42 echo $row[1]; // the email value ?>

If you only want the email, only request the email.

If you want to output the email address for a specific id number that
comes from a get request, which I think is what you mean:

<?php

$num = 0;

$if isset( $_GET["number"] ) $num = intval( $_GET["number"] );

$sql = "SELECT email FROM people WHERE id = '{$num}'";

$result = mysql_query( sql );

if ( !$result ) {

echo "mysql query \"{$sql}\" failed with: " . mysql_error() . "\n";

} else {

$rows = mysql_num_rows( $result );

if ( $rows != 1 ) {

echo "Unexpected result from sql query \"{$sql}\", {$rows} rows
returned when 1 row expected!\n";

} else {

$row = mysql_fetch_row($result);

if ( $row ) {

echo "Email address is: {$result[0]}\n";

} else {

echo "No email address found for that ID number\n";

}

}

}

--
Denis McMahon, denismfmcmahon(at)gmail(dot)com
Re: fetch items from a row [message #182456 is a reply to message #182450] Sun, 04 August 2013 22:09 Go to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 8/4/2013 5:27 PM, The Natural Philosopher wrote:
> On 04/08/13 18:06, Mladen Gogala wrote:
>> On Fri, 03 May 2013 21:49:52 +0100, Tim Streater wrote:
>>
>>> More likely:
>>>
>>> $result = mysql_query("SELECT id,email FROM people WHERE id = '" .
>>> $_GET['number'] . "'");
>> And the code like that is the basis for all SQL injection attacks. It's
>> so frequent that even comic strips have been written about it:
>>
>> http://xkcd.com/327/
>>
>> If you have such code in the client facing application, prepare to meet
>> little Bobby Tables.
>>
>>
> avoided simply by :
>
> $result = mysql_query(sprintf("SELECT id,email FROM people WHERE id =
> '%d'",
> $_GET['number'] ));
>
> Using sprintf not only makes everything to look reasonable at code
> inspection level it self validates stuff that should be a number and
> gurantees only a number.
>
> Likewise either escape strings or hexify them.
>
> It isn't rocket science.
>

Which gives incorrect results if the value isn't an integer. It is much
better to validate the data and, if it is incorrect (i.e. in this case,
not an integer), provide an error message instead of incorrect results.

But then only a programmer would know that.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: Hopiing for some leads as to what may be wrong in this code
Next Topic: sql order but move some rows bottom
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Oct 18 03:35:15 EDT 2017

Total time taken to generate the page: 0.01007 seconds