The $_GET variable

buddhi225 posted this at 16:20 — 5th June 2009.

They have: 5 posts

Joined: May 2009

I am trying to get values from firstpage.php and send them to secondpage.php this is what i have figured out and i am wondering if it is the correct way to do it thanks.

Firstpage.php

<?php
//Connects to the database.
$con = mysql_connect("localhost","blank","blank") or die (mysql_error());
$db = mysql_select_db("wsdatabase") or die (mysql_error());
// Selects username's from the user table.
$sql = "select username from users";
$query = mysql_query($sql);
// List's every name in the table with a link going to the secondpage.php.
while($row = mysql_fetch_array($query)) {
    printf("<a href='secondpage.php?username=%s'>%s</a>"."<br/>",$row['username'],$row['username']);
}
?> 

secondpage.php

<?php
// Grabs the username with the get method.
if(isset($_GET['username'])) {
    $username = $_GET['username'];
}
// Connects to the database.
$con = mysql_connect("localhost","blank","blank") or die (mysql_error());
$db = mysql_select_db("wsdatabase") or die (mysql_error());
// Selects everything from the database.
$sql = "select * from users where username = '$username' ";
$query = mysql_query($sql);
// Prints everything out from the database.
while($row = mysql_fetch_array($query)) {
    echo "<b>".$row['title']."</b>";
    echo "<br/>";
    echo "<b>".$row['username']."</b>";
    echo "<br/>";
    echo "<b>".$row['email']."</b>";
}
?> 

teammatt3 posted this at 17:39 — 5th June 2009.

He has: 2,102 posts

Joined: Sep 2003

On firstpage.php, everything looks ok. But depending on what you allow for a username, you may want to urlencode the username inside the a tag. For example:

<?php
printf("<a href='secondpage.php?username=%s'>%s</a>"."<br/>",urlencode($row['username']),$row['username']);
?>

If your username had an =, &, or other special characters, it might screw something up.

On your secondpage.php, you would need to decode the username (that you previously encoded). But you also have a SQL injection vulnerability. You need to sanitize your input using mysql_real_escape_string() before passing parameters into a query. But you can't use it until your have a connection to the database setup, so you need to reorder your code:

<?php
// Connects to the database - must do this before calling mysql_real_escape_string()
$con = mysql_connect("localhost","blank","blank") or die (mysql_error());
$db = mysql_select_db("wsdatabase") or die (mysql_error());

// Grabs the username with the get method.
if(isset($_GET['username'])) {
    $username = urldecode($_GET['username']);
    $username = mysql_real_escape_string($username); // escape dangerous characters
}
?>

greg posted this at 18:01 — 5th June 2009.

He has: 1,581 posts

Joined: Nov 2005

Are you having problems with it? Errors? Or just wanting to know best procedure?

At a "quick" glance it looks ok for functionality, but doesn't have any security or validation checking.

You DO need a minimum of mysql_real_escape_string() before using any vars on a query:

<?php
$username = mysql_real_escape_string($username); //<-- This before the following query
$sql = "select * from users where username = '$username' ";
?>

And if names are only EVER alphanumeric you could perhaps check this too:

<?php
if (ereg('[^a-zA-Z0-9]', $username)) {
exit('Bad username');
}
?>

That checks if the string ($username) has anything in it other than alphanumeric. The exit() will halt the script and output the text.
You likely want to do something other than exit, but certainly if the data is not what you expected then DON'T run the QUERY.

Even if it's not publicly available, you might one day enter bad data yourself, bad data/error on the first page (etc).

That wont exit if the string ($username) is empty/null, so you probably want to check for that as well and output a different response, and again, don't run the query if empty.

Also, is this publicly available?