Error returned when trying to extract id field from URL

Question

Warning I am not a php programmer.

I have inherited a php diary script while trying to help a client restore an old site. The script does not function as expected. It seems that the problem lies with the way that $id is not being extracted from a link such as http://example.com/diary.php?id=51

Here is the script that should handle this:

<?php
// instert automatic date structure for 2004 or 2005
include 'admin24/config.inc.php';
if (isset($_GET['id'])){ 
$query = "SELECT * FROM `diary` WHERE id=$id";
$result = mysql_query($query)
    or die ("problem resolving information....contact php_admin");     
$row = mysql_fetch_array($result);
extract($row);
$date = date("j F Y", (strtotime($date)));
?>

If I substitute an integer for $id like so:

$query = "SELECT * FROM `diary` WHERE id=51";

there is no problem and the query is retrieved from the db just fine.

Can anyone tell me why this is not working? As it is, it always returns:

"problem resolving information....contact php_admin"

Thanks in advance.

Answer 1

I guess register_globals has been turned off (recommended), so $id needs to get initialized. try this:

<?php
// instert automatic date structure for 2004 or 2005
include 'admin24/config.inc.php';
if (isset($_GET['id'])){
  $id = (int) $_GET['id']; // the cast to 'int' is necessary to prevent sql injections!
  $query = "SELECT * FROM `diary` WHERE id=$id";
  $result = mysql_query($query)
    or die ("problem resolving information....contact php_admin");     
  $row = mysql_fetch_array($result);
  extract($row);
  $date = date("j F Y", (strtotime($date)));
...

Answer 2

Your SQL query is for the variable $id but the value you are looking for is in $_GET['id']. jexact's solution fixes this by assigning $id while protecting your app from SQL injection by casting it to an int.