Member Avatar for mrpeterc

Can someone point me in the right direction, what I am trying to do is use the result set that I have from a php query to a mysql table. I would like to be able to individually select a record from a query result that returns multiple records. I have the code and queries done already, I just don't know how to select a record using a unique id from the listed results. Is there a way to make each row that is returned linkable, so that if it is clicked it can return the individual record? I am new at php, so please be easy on me... Thanks in advance.

  • 5 Contributors
  • 9 Replies
  • 89 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by nav33n

Recommended Answers

All 9 Replies

Member Avatar for Dsiembab

This may not be the right answer, but I would think that you could make form in a for each statement and have the button text populated by the unique id also create the query . I'm thinking like

$link=mysql_connect(host, username, pass);
mysql_select_db('my_database');
$query='SELECT `uniqueid` FROM `table`';
$result = mysql_query($query);
echo "<table>\n";
while ($line = mysql_fetch_array($result)) {
    echo "\t<tr>\n";
    foreach ($line as $value) {
        echo "\t\t<form action="mysqluser2.php" method="post">
 <input name="user" type="hidden" id="user" value="<? echo 'SELECT `uniqueid`FROM `table` WHERE 'uniqueid' = `'.$value.'`'; ?>">
<input type="submit" value=".$value."/></p>
</form>
\n";
    }
    echo "\t</tr>\n";
}
echo "</table>\n";
mysql_free_result($result);
mysql_close($link);
?>

adn then mysqluser2.php would be

if(empty($_POST['user']){
echo"error";}
else{
$link=mysql_connect(host, username, pass);
mysql_select_db('my_database');
$result = mysql_query($_POST['user']);
echo "<table>\n";
while ($line = mysql_fetch_array($result)) {
    echo "\t<tr>\n";
    foreach ($line as $value) {
        echo "\t\t<td>$value</td>";\n";
    }
    echo "\t</tr>\n";
}
echo "</table>\n";
mysql_free_result($result);
mysql_close($link);

This is really sloppy and you will have to experiment with it to get it to work for you I am still a little green to php. Check outhttp://www.php.net/manual/en/tutorial.forms.php#76795 in notes

Member Avatar for buddylee17

This is the absolute simplest way to do it. You'll have to take measures to prevent sql injection and implement other security features.
Place a link on the returned result like this:

echo"
<a href='whatever.php?name=$name'>$name</a>";

It would look something like:
Bill
Bob
Sue
Obviously, you'll have to replace whatever.com and whatever.php with the appropriate domain and file.
Then at the beginning of whatever.php, pull the name variable from the querystring using GET or REQUEST:

$name=$_GET['name'];

Now do the query using the variable from the querystring:

$sql="SELECT * FROM tablename WHERE name='$name'";
Member Avatar for mrpeterc

thanks, I give them a try...

Member Avatar for Fest3er

Whatever you do, be sure you escape the result if you use it directly in a MySQL query. You don't want to be the victim of SQL injection.

Member Avatar for Dsiembab

Whatever you do, be sure you escape the result if you use it directly in a MySQL query. You don't want to be the victim of SQL injection.

I thought a mysql injection would only be possible when inserting or updating data.

Member Avatar for Fest3er

I thought a mysql injection would only be possible when inserting or updating data.

Suppose your HTML form has the user select a name from a list, and the SUBMIT button sends that name to the server, in the form:
http://www.sample.com/mysql-query.php?user=SUE

Suppose the php program executes the following code:
$user = $_GET;
$query = "SELECT * FROM users WHERE user='$user'";
...

A miscreant could use the following URL:
http://www.sample.com/mysql-query.php?user=SUE';UPDATE users SET user='DUMBO' WHERE user LIKE '%
and the resulting SQL command would be:
$query = "SELECT user,join_date FROM users WHERE user='SUE';UPDATE users SET user='DUMBO' WHERE user LIKE '%'";

If the PHP script does not escape the apostrophes and other special characters, all user names could be changed to DUMBO.

Or, how about:
http://www.sample.com/mysql-query.php?user=SUE';DELETE FROM users WHERE user LIKE '%
maybe resulting in the miscreant deleting the entire content of your users table.

It might not happen instantly, but miscreants are persistent louts. They keep sucking until they succeed. Then they start somewhere else.

Member Avatar for buddylee17

This is true. There are losers, or more kindly referred to by fest3er as miscreants, with nothing better to do than to try to hack your db. It's sometimes called query stacking. Anytime the query depends on or can be manipulated by the users input, injection is possible and must be checked thoroughly. But you have to walk before you crawl. PHP noobs learn how to make the script work long before they learn how to make it secure. SQL injection is not hard to prevent but if the site is still in development, who cares? Make it work, then fix security issues, then implement the system and let the user add data. Your goal should be to make it work and to understand why it works. Post questions and learn. Take small steps. You cant learn everything at once. Just dont let users add sensitive data until it has been tested to be safe.

Member Avatar for Dsiembab

Would this be true with Post too?

Member Avatar for nav33n

yep. With $_POST, $_REQUEST and $_GET. You should escape all the special characters by using addslashes/mysql_real_escape_string.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.