PHP / SQL Query dynamic record from url

Question

I currently have this:

<?php
  $con = mysql_connect('localhost', 'root', 'dev');
  if(!$con) {
    die('Could not connect: ' . mysql_error());
  }
  mysql_select_db("myDB");
  $query = "SELECT * FROM pages where id=1";
  $result = mysql_query($query);
  $row = mysql_fetch_assoc($result);
  $contents = $row['content'];
  echo $contents;
?>

See this part: SELECT * FROM pages where id=1

1 is the record id and it's currently hardcoded. What I need to do is change it so it get's the record id from the url...for example: mysite.com/index.php?2 would show record id 2 ...

How do I go about doing this?

Answer 1

http://pastebin.com/NEZe7jjL

<?php

$dbh = new PDO('mysql:host=127.0.0.1;dbname=test', 'user', 'password', array(
    PDO::ATTR_EMULATE_PREPARES => true,
    PDO::MYSQL_ATTR_INIT_COMMAND => 'set names utf8',
));

$stmt = $dbh->prepare('SELECT * FROM `pages` WHERE `id` = :page');
$stmt->bindValue(':page', $_GET['page'], PDO::PARAM_INT);
$stmt->execute();

$result = $stmt->fetch(PDO::FETCH_ASSOC);

?>

yoursite.com/index.php?page=2

Answer 2

Turn that hardcoded value into a variable.

<?php
    //assumes you have a querystring like: http://mysite.com/index.php?id=3
    $id = $_GET['id'];


  $con = mysql_connect('localhost', 'root', 'dev');
  if(!$con) {
    die('Could not connect: ' . mysql_error());
  }
  mysql_select_db("myDB");


    //Make your variable safe for use with mysql
    $id = mysql_real_escape_string($id);
  $query = "SELECT * FROM pages where id=" . $id;
  $result = mysql_query($query);
  $row = mysql_fetch_assoc($result);
  $contents = $row['content'];
  echo $contents;
?>

Answer 3

You could use a regular expression to extract it from the URL.

$retval=preg_match( "@(\d+)$@", $_SERVER['REQUEST_URI'], $match );
$index=-1;
if( $retval ) { 
    $index = $match[1];
}

This approach allows you to continue using the URL scheme you described in the question without prepending id=. Whether that's a good idea or not is probably debateable.

Answer 4

URL data is interpreted using the GET method. First, you should look here for how to use it, and here for how to read it.

Basically, your URL will look like this:

mysite.com/index.php?id=2

Then, you could read in the URL variable like this:

$id = mysql_real_escape_string($_GET['id']);

mysql_real_escape_string() will help avoid SQL injection, but requires an existing connection, so your code would look like this:

<?php
  // Set up connection

  $id = mysql_real_escape_string($_GET['id']);
  $query = 'SELECT * FROM pages where id = '.$id;

  // Run the query
?>

Answer 5

Basic example using mysite.com/index.php?id=x as your URLs where x is the Id:

$id = (int)$_GET['id'];

$query = sprintf("
    SELECT * 
    FROM pages 
    WHERE id = %d",
    mysql_real_escape_string($id)
);

With your connection lines included of course, you should also validate.

Answer 6

let say the url is something like that: mysite.com/index.php?id=2

in your index.php:

<?php
$id = $_GET['id'];
// your sanitizing methods for id to avoid SQL injection

$con = mysql_connect('localhost', 'root', 'dev');
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("diy");
$query = "SELECT * FROM pages where id = ".$id;
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
$contents = $row['content'];
echo $contents;
?>

Beware of SQL injection