Reputation: 25122
PHP: managing url $_GET tinkering
Here's a situation, i have a list of support tickets that when you click the title of the ticket takes you to a page that displays the ticket in more detail. If uses URL GET variables to query the database. I've taken SQL injection into account but what if someone modifies the url to an id that doesn't exist? whats the best way to deal with that?
Thanks,
Jonesy
Upvotes: 1
Views: 247
Answers (5)
Reputation: 4481
You should always check if your query returned anything. If it returned 0 rows, the ID doesn't exist.
<?php
$result = mysql_db_query("your query", $link);
$num_rows = mysql_num_rows($result);
if($num_rows < 1) {
// row with that id doesnt exist
// do whatever you want
} elseif($num_rows > 1) {
// you have problem with your ids in db
} else {
// everything went fine
// do your thing here
}
?>
Upvotes: 1
Reputation: 55334
This may seem too simple, but you should always validate your GET (or POST) variable before doing anything with them. In your case, just verify that the ID exists in the database. If it doesn't, inform the user.
Upvotes: 1
Reputation: 820
You probably have to make a page handling unsuccessful searches anyway; just route it in there. Then you can help the user to find what (s)he searches in a consistent way, provide cues and "most-searched-after" and what not.
Upvotes: 3
Reputation: 92752
Check if the ticket exists; if not, react accordingly. What "react accordingly" means is determined by your business logic: create a new ticket? raise an error? take the user to a list of available tickets?
An example using the old mysql extension for brevity:
$sanitized_numeric_id = (int) $_GET['ticket_id']; // assuming id is numeric
$query_resource = mysql_query('SELECT `somecolumn`, `column2`, `othercolumn`
FROM `tickets`
WHERE `id`= ' . $sanitized_numeric_id);
if (mysql_num_rows($query_resource) > 0) {
// the ticket exists, do something with it
} else {
// the ticket doesn't exist, react accordingly
}
Upvotes: 0
Reputation: 316959
If the ID does not exist, send a 404 - Not Found header along with a nice error page telling the user that it wasn't found.
Upvotes: 5
Related Questions
- PHP unset get parameter?
- PHP $_GET removing a variable from URL string
- Getting Error when Wrong $_GET Parameter in URL is Used
- PHP URL GET parameters, if exist, replace?
- Php get method resseting url
- Pass a URL in a GET for PHP
- How to remove a specific $_GET variable from a URL
- $_GET doesn't work when one of the parameters is a URL
- how to handle a url without any get parameters in PHP
- PHP url "get" parameter processing: what is the most usable and maintainable design for responding to user errors?