Skip to main content
W
whatalotofrubbish
Inspiring
January 17, 2014
Answered

How do you pass two URL parameters to a page in PHP

  • January 17, 2014
  • 1 reply
  • 14650 views

The following bit of code is based on some David Powers code in his book PHP solutions - a book to be highly recommended :

'<a href= "'. $_SERVER['PHP_SELF']. '?curpage=' .($curpage+1) .'" &gt; Next &gt; </a&gt;';

This is used to navigate from page to page  and when clicked, produces a URL ending

.showflagsab?curpage=3


It works fine when the SQL Query is something like "SELECT * from table"

However, my SQL Query is like "SELECT * from table where ID= 5", so as well as passing the current page variable, I also need to pass the ID variable.

It would show like showflagsab.php?curpage=3&id=5


I spent ages trying to get the syntax correct, but so far have not succeeded.

Can you help?

Howard Walker


This topic has been closed for replies.
Correct answer BazBat

you just need to add  &$VAR= to the end of your link

'<a href ="' .$_SERVER['PHP_SELF'] . '?curpage=' .($curpage+1) .'&id='.$yourid.'"> link </a> '

Careful with SQL injection though your going to have to check that the value of the id is valid, something like (if your using PDO):

stored_procedure = "select user from user_db where id = ? LIMIT 1;

sql_execute_with_param(stored_procedure, input_id);

1 reply

BazBat
BazBatCorrect answer
Participating Frequently
January 17, 2014

you just need to add  &$VAR= to the end of your link

'<a href ="' .$_SERVER['PHP_SELF'] . '?curpage=' .($curpage+1) .'&id='.$yourid.'"> link </a> '

Careful with SQL injection though your going to have to check that the value of the id is valid, something like (if your using PDO):

stored_procedure = "select user from user_db where id = ? LIMIT 1;

sql_execute_with_param(stored_procedure, input_id);

W
whatalotofrubbishAuthor
Inspiring
January 17, 2014

Thanks for that - worked a treat and I came up with :

'<a href= "'. $_SERVER['PHP_SELF']. '?curpage=' .($lastpage) . "&id=" .($t).'" > LAST &gt; </a>';

SQL injection - I am pulling out the data direct from a database with no user access - does that still need to be checked for injection?

I am using MySQLI which will need another syntax.

BazBat
BazBat
Participating Frequently
January 17, 2014

Yes as you are using URL variables someone could exploit it by typing in the link with the URLs, get into the habbit of doing it now, its only a couple of extra lines and your love yourself for it going foward. Read up on PDO (most used outside of MySQLi)

If there where to input one of the following as a URL var:

' or '1'='1' -- '

' or '1'='1' ({ '

' or '1'='1' /* '

it would change the SQL to read :

SELECT * FROM table WHERE col = '' OR '1'='1';

SELECT * FROM table WHERE col = '' OR '1'='1' -- ';

If your using MySQLi then use:

mysqli_real_escape_string()

and

stripslashes()

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices