Link parameter problem

**shimmyshack** · Mar 21 '07, 04:55 PM

Re: Link parameter problem

On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander. ..@tele2.se>
wrote:

I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected record.
My problem is that I can't get the record-ID parsed into the link parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_obj ect($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinf o.php?id=$mid"> ' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';
>
In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.

have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinf o.php?id=' . $mid . '">' . $name . '</a></
td>';

**Lennart Anderson** · Mar 21 '07, 04:55 PM

Re: Link parameter problem

"shimmyshac k" <matt.farey@gma il.comskrev i meddelandet
news:1174495509 .099426.305700@ e65g2000hsc.goo glegroups.com.. .

On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander. ..@tele2.se>
wrote:

>I want to present a table with main data. Each revord will have a field
>acting like a link to a new page with detailed data on the selected
>record.
>My problem is that I can't get the record-ID parsed into the link
>parameter.
>Whatever I do will just let my $_GET['id'] give me what is after the
>equal-sign in the link prameter.
>The code is:
>while($row = mysql_fetch_obj ect($result))
> {
> $mid = ($row->catid);
> $name = ($row->catname);
> echo '<tr>';
> echo '<td >' . $mid . '</td>';
> echo '<td>' . '<a href="advertinf o.php?id=$mid"> ' . $name . '</a></td>';
> echo '</tr>';
> }
> echo '</table>';
>>
>In this case the $_GET on advertinfor.php will only give me $mid.
>I think the problem might be in the quotes but I also think I have tested
>every possible combinaion without success.
>Any solution or hint is very much appreciated.

>
have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinf o.php?id=' . $mid . '">' . $name . '</a></
td>';
>

EUREKA
I have tested your suggestion now and it work.
Don't know how to thank you.
Now I can keep some of the hair on mu head instead of rubbing it o0f in deep
frustration.
Again thanks for the hint

**shimmyshack** · Mar 21 '07, 05:25 PM

Re: Link parameter problem

On 21 Mar, 16:54, "Lennart Anderson" <lennart.ander. ..@tele2.se>
wrote:

"shimmyshac k" <matt.fa...@gma il.comskrev i meddelandetnews :1174495509.099 426.305700@e65g 2000hsc.googleg roups.com...
>
>
>

On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander. ..@tele2.se>
wrote:

I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected
record.
My problem is that I can't get the record-ID parsed into the link
parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_obj ect($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinf o.php?id=$mid"> ' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';

>

In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.

>

have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinf o.php?id=' . $mid . '">' . $name . '</a></
td>';

>
EUREKA
I have tested your suggestion now and it work.
Don't know how to thank you.
Now I can keep some of the hair on mu head instead of rubbing it o0f in deep
frustration.
Again thanks for the hint

cool, now make sure that you are secure by filtering the data that
comes from your database,
so I would actually do this:

while($row = mysql_fetch_obj ect($result))
{
$mid = urlencode($row->catid);
$name = htmlentities($r ow->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinf o.php?id=' . $mid . '">' . $name .
'</a></td>';
echo '</tr>';
}
echo '</table>';

unless you use utf-8 as the primary character set in which case use
htmlentities('s tring',ENT_QUOT ES,'UTF-8');

It seems weird doesn't it, protecting your application against
characters from your *own* database, but this is the world we live in.

**shimmyshack** · Mar 21 '07, 05:25 PM

Re: Link parameter problem

On 21 Mar, 17:17, "shimmyshac k" <matt.fa...@gma il.comwrote:

On 21 Mar, 16:54, "Lennart Anderson" <lennart.ander. ..@tele2.se>
wrote:
>
>
>

"shimmyshac k" <matt.fa...@gma il.comskrev i meddelandetnews :1174495509.099 426.305700@e65g 2000hsc.googleg roups.com...

>

On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander. ..@tele2.se>
wrote:
>I want to present a table with main data. Each revord will have a field
>acting like a link to a new page with detailed data on the selected
>record.
>My problem is that I can't get the record-ID parsed into the link
>parameter.
>Whatever I do will just let my $_GET['id'] give me what is after the
>equal-sign in the link prameter.
>The code is:
>while($row = mysql_fetch_obj ect($result))
> {
> $mid = ($row->catid);
> $name = ($row->catname);
> echo '<tr>';
> echo '<td >' . $mid . '</td>';
> echo '<td>' . '<a href="advertinf o.php?id=$mid"> ' . $name . '</a></td>';
> echo '</tr>';
> }
> echo '</table>';

>

>In this case the $_GET on advertinfor.php will only give me $mid.
>I think the problem might be in the quotes but I also think I have tested
>every possible combinaion without success.
>Any solution or hint is very much appreciated.

>

have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinf o.php?id=' . $mid . '">' . $name . '</a></
td>';

>

EUREKA
I have tested your suggestion now and it work.
Don't know how to thank you.
Now I can keep some of the hair on mu head instead of rubbing it o0f in deep
frustration.
Again thanks for the hint

>
cool, now make sure that you are secure by filtering the data that
comes from your database,
so I would actually do this:
>
while($row = mysql_fetch_obj ect($result))
{
$mid = urlencode($row->catid);
$name = htmlentities($r ow->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinf o.php?id=' . $mid . '">' . $name .
'</a></td>';
echo '</tr>';}
>
echo '</table>';
>
unless you use utf-8 as the primary character set in which case use
htmlentities('s tring',ENT_QUOT ES,'UTF-8');
>
It seems weird doesn't it, protecting your application against
characters from your *own* database, but this is the world we live in.

oops! I forgot to filter the id too, you should run it though the
validator you use when you put it into your query, removing all
characters that are not numbers, making sure its a number, and that it
falls within the limits your database will expect.

So, as a minimum, before taking characters and inserting them into the
html markup, you have to make sure that they contain NO html or
javascript, or if they do that it is inert.

The use of htmlentities can effectively take any characters that can
be used to inject fraudulent code into your page and hijack it.

I suppose you could do
$mid = htmlentities($r ow->catid);

and make sure that you check the $_GET['id'] before you include it in
the query you run against your table.

**Lennart Anderson** · Mar 21 '07, 05:45 PM

Re: Link parameter problem

"shimmyshac k" <matt.farey@gma il.comskrev i meddelandet
news:1174497720 .594680.242780@ b75g2000hsg.goo glegroups.com.. .

On 21 Mar, 17:17, "shimmyshac k" <matt.fa...@gma il.comwrote:

>On 21 Mar, 16:54, "Lennart Anderson" <lennart.ander. ..@tele2.se>
>wrote:
>>
>>
>>

"shimmyshac k" <matt.fa...@gma il.comskrev i
meddelandetnews :1174495509.099 426.305700@e65g 2000hsc.googleg roups.com...

>>

On 21 Mar, 15:24, "Lennart Anderson" <lennart.ander. ..@tele2.se>
wrote:
>I want to present a table with main data. Each revord will have a
>field
>acting like a link to a new page with detailed data on the selected
>record.
>My problem is that I can't get the record-ID parsed into the link
>parameter.
>Whatever I do will just let my $_GET['id'] give me what is after the
>equal-sign in the link prameter.
>The code is:
>while($row = mysql_fetch_obj ect($result))
> {
> $mid = ($row->catid);
> $name = ($row->catname);
> echo '<tr>';
> echo '<td >' . $mid . '</td>';
> echo '<td>' . '<a href="advertinf o.php?id=$mid"> ' . $name .
>'</a></td>';
> echo '</tr>';
> }
> echo '</table>';

>>

>In this case the $_GET on advertinfor.php will only give me $mid.
>I think the problem might be in the quotes but I also think I have
>tested
>every possible combinaion without success.
>Any solution or hint is very much appreciated.

>>

have you tested this combination?
$mid = 'test';
echo '<td><a href="advertinf o.php?id=' . $mid . '">' . $name .
'</a></
td>';

>>

EUREKA
I have tested your suggestion now and it work.
Don't know how to thank you.
Now I can keep some of the hair on mu head instead of rubbing it o0f in
deep
frustration.
Again thanks for the hint

>>
>cool, now make sure that you are secure by filtering the data that
>comes from your database,
>so I would actually do this:
>>
>while($row = mysql_fetch_obj ect($result))
>{
> $mid = urlencode($row->catid);
> $name = htmlentities($r ow->catname);
> echo '<tr>';
> echo '<td >' . $mid . '</td>';
> echo '<td>' . '<a href="advertinf o.php?id=' . $mid . '">' . $name .
>'</a></td>';
> echo '</tr>';}
>>
>echo '</table>';
>>
>unless you use utf-8 as the primary character set in which case use
>htmlentities(' string',ENT_QUO TES,'UTF-8');
>>
>It seems weird doesn't it, protecting your application against
>characters from your *own* database, but this is the world we live in.

>
oops! I forgot to filter the id too, you should run it though the
validator you use when you put it into your query, removing all
characters that are not numbers, making sure its a number, and that it
falls within the limits your database will expect.
>
So, as a minimum, before taking characters and inserting them into the
html markup, you have to make sure that they contain NO html or
javascript, or if they do that it is inert.
>
The use of htmlentities can effectively take any characters that can
be used to inject fraudulent code into your page and hijack it.
>
I suppose you could do
$mid = htmlentities($r ow->catid);
>
and make sure that you check the $_GET['id'] before you include it in
the query you run against your table.
>

Thanks.
Although I'm not yet too experienced in php I think I see what you mean and
will take this into consideration for my coming work. I'm trying to help my
daughter with a kind of advertisement and selling place for the Cayman
Islands.

**Rami Elomaa** · Mar 21 '07, 07:05 PM

Re: Link parameter problem

Lennart Anderson kirjoitti:

I want to present a table with main data. Each revord will have a field
acting like a link to a new page with detailed data on the selected record.
My problem is that I can't get the record-ID parsed into the link parameter.
Whatever I do will just let my $_GET['id'] give me what is after the
equal-sign in the link prameter.
The code is:
while($row = mysql_fetch_obj ect($result))
{
$mid = ($row->catid);
$name = ($row->catname);
echo '<tr>';
echo '<td >' . $mid . '</td>';
echo '<td>' . '<a href="advertinf o.php?id=$mid"> ' . $name . '</a></td>';
echo '</tr>';
}
echo '</table>';
>
In this case the $_GET on advertinfor.php will only give me $mid.
I think the problem might be in the quotes but I also think I have tested
every possible combinaion without success.
Any solution or hint is very much appreciated.
>
>

The difference between ' and " is that php variables inside "" are
parsed but inside '' they are not. So "$foo" will be parsed as $foo the
variable, but '$foo' is seen as a literal string, a dollar sign followed
by the string foo.

--
Rami.Elomaa@gma il.com
"Olemme apinoiden planeetalla."

**Lennart Anderson** · Mar 21 '07, 07:15 PM

Re: Link parameter problem

"Rami Elomaa" <rami.elomaa@gm ail.comskrev i meddelandet
news:etrvf5$fjk $1@nyytiset.pp. htv.fi...

Lennart Anderson kirjoitti:

>I want to present a table with main data. Each revord will have a field
>acting like a link to a new page with detailed data on the selected
>record. My problem is that I can't get the record-ID parsed into the link
>parameter. Whatever I do will just let my $_GET['id'] give me what is
>after the equal-sign in the link prameter.
>The code is:
>while($row = mysql_fetch_obj ect($result))
> {
> $mid = ($row->catid);
> $name = ($row->catname);
> echo '<tr>';
> echo '<td >' . $mid . '</td>';
> echo '<td>' . '<a href="advertinf o.php?id=$mid"> ' . $name . '</a></td>';
> echo '</tr>';
> }
> echo '</table>';
>>
>In this case the $_GET on advertinfor.php will only give me $mid.
>I think the problem might be in the quotes but I also think I have tested
>every possible combinaion without success.
>Any solution or hint is very much appreciated.

>
The difference between ' and " is that php variables inside "" are parsed
but inside '' they are not. So "$foo" will be parsed as $foo the variable,
but '$foo' is seen as a literal string, a dollar sign followed by the
string foo.
>
--
Rami.Elomaa@gma il.com
"Olemme apinoiden planeetalla."

Rami
Thank you
I thought I knew that but obviously I did a mistake. In such a link there
are a lot of " and ' together with .-dots. I thought I have tried all
combinations but ....
OK, you learn by mistakes, don't you. I am still a newbie.
Well, now I have got the solution to that problem but I am very convinced
that I will meet new problems and then it is very good to have found this
group.

Link parameter problem

Link parameter problem

Comment

Comment

Comment

Comment

Comment

Comment

Comment