Copy link to clipboard
Copied
The following bit of code is based on some David Powers code in his book PHP solutions - a book to be highly recommended :
'<a href= "'. $_SERVER['PHP_SELF']. '?curpage=' .($curpage+1) .'" > Next > </a>';
This is used to navigate from page to page and when clicked, produces a URL ending
.showflagsab?curpage=3
It works fine when the SQL Query is something like "SELECT * from table"
However, my SQL Query is like "SELECT * from table where ID= 5", so as well as passing the current page variable, I also need to pass the ID variable.
It would show like showflagsab.php?curpage=3&id=5
I spent ages trying to get the syntax correct, but so far have not succeeded.
Can you help?
Howard Walker
you just need to add &$VAR= to the end of your link
'<a href ="' .$_SERVER['PHP_SELF'] . '?curpage=' .($curpage+1) .'&id='.$yourid.'"> link </a> '
Careful with SQL injection though your going to have to check that the value of the id is valid, something like (if your using PDO):
stored_procedure = "select user from user_db where id = ? LIMIT 1;
sql_execute_with_param(stored_procedure, input_id);
Copy link to clipboard
Copied
you just need to add &$VAR= to the end of your link
'<a href ="' .$_SERVER['PHP_SELF'] . '?curpage=' .($curpage+1) .'&id='.$yourid.'"> link </a> '
Careful with SQL injection though your going to have to check that the value of the id is valid, something like (if your using PDO):
stored_procedure = "select user from user_db where id = ? LIMIT 1;
sql_execute_with_param(stored_procedure, input_id);
Copy link to clipboard
Copied
Thanks for that - worked a treat and I came up with :
'<a href= "'. $_SERVER['PHP_SELF']. '?curpage=' .($lastpage) . "&id=" .($t).'" > LAST > </a>'; |
SQL injection - I am pulling out the data direct from a database with no user access - does that still need to be checked for injection?
I am using MySQLI which will need another syntax.
Copy link to clipboard
Copied
Yes as you are using URL variables someone could exploit it by typing in the link with the URLs, get into the habbit of doing it now, its only a couple of extra lines and your love yourself for it going foward. Read up on PDO (most used outside of MySQLi)
If there where to input one of the following as a URL var:
' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '
it would change the SQL to read :
SELECT * FROM table WHERE col = '' OR '1'='1';
SELECT * FROM table WHERE col = '' OR '1'='1' -- ';
If your using MySQLi then use:
mysqli_real_escape_string()
and
stripslashes()