Trying to make a simple book catalog

**Klarth** · Feb 21 '07, 01:45 AM

Re: Trying to make a simple book catalog

Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.p hp script.

On Feb 21, 10:20 am, fishmonger1...@ gmail.com wrote:

Hi!
I'm a librarian with a little PHP knowledge.. I'm trying to make a
catalog from scratch for my library. I don't like the look of the
current catalog so I'm trying to make a custom PHP/MySQL
implementation.
>
I can do everything I need to do except, I don't completely understand
a detail. Ideally I could write this:
>
<a href="catalogre cord.php?record num=4">Tom Sawyer</a>
>
The idea would be to pass the number 4 to the catalogrecord.p hp page
when the hyperlink is clicked. Then it would know which number in the
catalog it should pull up and display on the next page. Is this
possible? And if so, how could I access the recordnum=4 on the next
php file?
>
Will

**Rik** · Feb 21 '07, 01:45 AM

Re: Trying to make a simple book catalog

On Wed, 21 Feb 2007 02:20:49 +0100, <fishmonger1972 @gmail.comwrote :

Hi!
I'm a librarian with a little PHP knowledge.. I'm trying to make a
catalog from scratch for my library. I don't like the look of the
current catalog so I'm trying to make a custom PHP/MySQL
implementation.
>
I can do everything I need to do except, I don't completely understand
a detail. Ideally I could write this:
>
<a href="catalogre cord.php?record num=4">Tom Sawyer</a>
>
The idea would be to pass the number 4 to the catalogrecord.p hp page
when the hyperlink is clicked. Then it would know which number in the
catalog it should pull up and display on the next page. Is this
possible? And if so, how could I access the recordnum=4 on the next
php file?

The question is a bit vague, but to get you started:

You say MySQL, so I assume that number 4 is an index in the database where
the records are stored? A list of links could be made by:

<?php
mysql_connect(' hostname','user name','password ');//of you mysql db
mysql_select_db ('catalogue');
$books = mysql_query('SE LECT `id`, `name` FROM `book`');
while($book = mysql_fetch_ass oc($books)){
print '<a
href="catalogre cord.php?record num='.$book['id'].'">'.$book['name'].'</a><br>';
}
?>

And the receiving script would do something like this:

<?php
$book_id = intval($_GET['recordnum']);
mysql_connect(' hostname','user name','password ');//of you mysql db
mysql_select_db ('catalogue');
$bookresult = mysql_query('SE LECT * FROM `book` WHERE `id` = '.$book_id);
if(mysql_num_ro ws($bookresult) 0){
$book = mysql_fetch_ass oc($bookresult) ;
foreach($book as $key =$value){
print $key.':'.$value .'<br>';
}
} else {
echo 'Book not found in database.';
}
?>

--
Rik Wasmus

**Richard** · Feb 21 '07, 03:05 AM

Re: Trying to make a simple book catalog

"Klarth" <kah.goh@gmail. comwrites:

Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.p hp script.

Could someone explain to a noob the use of _get here and why not _post?

**Jerry Stuckle** · Feb 21 '07, 03:05 AM

Re: Trying to make a simple book catalog

Richard wrote:

"Klarth" <kah.goh@gmail. comwrites:
>

>Yes, it is possible. There look for $_GET["recordnum"] in your
>catalogrecord. php script.

>
Could someone explain to a noob the use of _get here and why not _post?

Because he's passing it as part of the URL, so it's a GET request. A
POST request would come from a form with method=post.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Jerry Stuckle** · Feb 21 '07, 03:15 AM

Re: Trying to make a simple book catalog

Richard wrote:

"Klarth" <kah.goh@gmail. comwrites:
>

>Yes, it is possible. There look for $_GET["recordnum"] in your
>catalogrecord. php script.

>
Could someone explain to a noob the use of _get here and why not _post?

Oops - pressed send too quickly.

When the POST method is used, the parameters are not passed in the link
as part of the query string; rather they are passed by the browser out
of sight of the user.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Rik** · Feb 21 '07, 03:55 AM

Re: Trying to make a simple book catalog

On Wed, 21 Feb 2007 03:59:56 +0100, Jerry Stuckle
<jstucklex@attg lobal.netwrote:

Richard wrote:

>"Klarth" <kah.goh@gmail. comwrites:
>>

>>Yes, it is possible. There look for $_GET["recordnum"] in your
>>catalogrecord .php script.

> Could someone explain to a noob the use of _get here and why not _post?

>
Oops - pressed send too quickly.
>
When the POST method is used, the parameters are not passed in the link
as part of the query string; rather they are passed by the browser out
of sight of the user.

Which on an 'open' site (this particular project seems to be local) would
have the advantage of being both bookmarkable (hmmmz, something doesn't
feel right about that word) and indexable by a search-engine.

--
Rik Wasmus

**Jerry Stuckle** · Feb 21 '07, 04:15 AM

Re: Trying to make a simple book catalog

Rik wrote:

On Wed, 21 Feb 2007 03:59:56 +0100, Jerry Stuckle
<jstucklex@attg lobal.netwrote:
>

>Richard wrote:

>>"Klarth" <kah.goh@gmail. comwrites:
>>>
>>>Yes, it is possible. There look for $_GET["recordnum"] in your
>>>catalogrecor d.php script.
>> Could someone explain to a noob the use of _get here and why not _post?

>>
>Oops - pressed send too quickly.
>>
>When the POST method is used, the parameters are not passed in the
>link as part of the query string; rather they are passed by the
>browser out of sight of the user.

>
Which on an 'open' site (this particular project seems to be local)
would have the advantage of being both bookmarkable (hmmmz, something
doesn't feel right about that word) and indexable by a search-engine.
>
--Rik Wasmus

Groan, Rik - was that on purpose? :-)

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Peter Fox** · Feb 21 '07, 09:35 AM

Re: Trying to make a simple book catalog

>
>And the receiving script would do something like this:
>
><?php
>$book_id = intval($_GET['recordnum']);
>mysql_connect( 'hostname','use rname','passwor d');//of you mysql db
>mysql_select_d b('catalogue');
>$bookresult = mysql_query('SE LECT * FROM `book` WHERE `id` =
>'.$book_id);
>if(mysql_num_r ows($bookresult ) 0){
$book = mysql_fetch_ass oc($bookresult) ;
foreach($book as $key =$value){
print $key.':'.$value .'<br>';
}
>} else {
echo 'Book not found in database.';
>}
>?>

Ask why
$book_id = intval($_GET['recordnum']);
is used early on in the script and is it there just to 'keep things
tidy'? What naughty things could happen if it was just
$book_id = $_GET['recordnum'];

Supplementary question: What would you do here if you were getting a
string instead of a number to use in your SQL?

Another supplementary question: Why would it be a _bad_ idea to 'be
helpful' with the 'not found' message by echoing back the input as
follows:
$recno = GET['recordnum'];
print("Sorry we could not find your request for $recno");

--
PETER FOX Not the same since the submarine business went under
peterfox@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>

**Rik** · Feb 21 '07, 10:25 AM

Re: Trying to make a simple book catalog

Peter Fox <peterfox@emine nt.demon.co.uk. not.this.bit.no .htmlwrote:

>And the receiving script would do something like this:
>>
><?php
>$book_id = intval($_GET['recordnum']);

>$bookresult = mysql_query('SE LECT * FROM `book` WHERE `id` =
>'.$book_id);
>if(mysql_num_r ows($bookresult ) 0){
> $book = mysql_fetch_ass oc($bookresult) ;

//

> }
>} else {
> echo 'Book not found in database.';
>}
>?>

>
Ask why
$book_id = intval($_GET['recordnum']);
is used early on in the script and is it there just to 'keep things
tidy'? What naughty things could happen if it was just
$book_id = $_GET['recordnum'];

Google SQL injection.

Supplementary question: What would you do here if you were getting a
string instead of a number to use in your SQL?

If possible prepared statements, else mysql_real_esca pe_string();

Another supplementary question: Why would it be a _bad_ idea to 'be
helpful' with the 'not found' message by echoing back the input as
follows:
$recno = GET['recordnum'];
print("Sorry we could not find your request for $recno");

Because it could containt evil code. I think you know the answers to these
already :P. It's far beyond the scope of the question to go in great
detail about security and database handling, as it was local, I was only
offering a starting point.

--
Rik Wasmus

**Rik** · Feb 21 '07, 10:45 AM

Re: Trying to make a simple book catalog

Hmmmz, it was indeed very late, because this was still in the outbox this
morning:

Jerry Stuckle <jstucklex@attg lobal.netwrote:

Rik wrote:

>>When the POST method is used, the parameters are not passed in the
>>link as part of the query string; rather they are passed by the
>>browser out of sight of the user.

>>
> Which on an 'open' site (this particular project seems to be local)
>would have the advantage of being both bookmarkable (hmmmz, something
>doesn't feel right about that word) and indexable by a search-engine.

>
Groan, Rik - was that on purpose? :-)

Hmmmz, it's very, very late. I'd swear I was typing something about GET
before it.... Offcourse the advantages I mentioned are of a GET request :P.

Off to bed now, before I squander my credibility any further...
--
Rik Wasmus

**Peter Fox** · Feb 21 '07, 11:05 AM

Re: Trying to make a simple book catalog

Following on from Rik's message. . .

>
>Because it could containt evil code. I think you know the answers to these
>already :P. It's far beyond the scope of the question to go in great
>detail about security and database handling, as it was local, I was only
>offering a starting point.

Sorry Rik I didn't mean to question your code, in fact the very opposite
- A very good starting point it is too. An excellent and concise
starting point for three important questions everyone should know the
answers to.

--
PETER FOX Not the same since the submarine business went under
peterfox@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>

Trying to make a simple book catalog

Trying to make a simple book catalog

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment