ansaurus

Question

Answer 1

+6 A:

You can loop through $_GET though. It's just an array:

foreach ($_GET as $key => $value) { }

When you go through to make your SQL queries, remember to sanitize all of your inputs. Likewise for displaying values on the page. Use htmlentities to sanitize for HTML display. Assuming your database is MySQL, use mysql_real_escape_string for SQL.

Dinah 2009-08-03 13:05:15

Answer 2

+1 A:

$_GET is an array .. so you can just iterate over it using foreach

foreach($_GET as $query_string_variable => $value) {
   echo "$query_string_variable  = $value <Br />";
}

you can also do extract($_GET) to make all of them as variable .. but I wont suggest it.

If you want to save it to db you should consider mysql_real_escape_string($value).

To print a HTML table .. do you want something like this ??

$count = count($_GET);
if($count > 0) {
  echo "<table>";
    foreach($_GET as $query_string_variable => $value) {
       echo "<tr><td>$query_string_variable</td><td>$value</td></tr>"
    }
  echo "</table>";
}

hope this helps.

Wbdvlpr 2009-08-03 13:12:13

+1, but `$query_string_variable` is a bit long and unwieldy. Something like `$key` or `$param` is much easier to read.

DisgruntledGoat 2009-08-03 15:18:14

Answer 3

+1 A:

See the FAQ How do I create arrays in a HTML <form>?

So in your case a request of:

?FormSub=Submit&qty[]=1&partno[]=ipod&notes[]=apple&unitprice[]=102.99&rowid[]=1&qty[]=2&partno[]=Ear+Buds&notes[]=Headphones&unitprice[]=45.99&rowid[]=2

would create an array of the form:

array(
    'FormSub' => 'Submit',
    'qty' => array(
        0 => '1',
        1 => '2'
    ),
    'partno' => array(
        0 => 'ipod',
        1 => 'Ear Buds'
    ),
    'notes' => array(
        0 => 'apple',
        1 => 'Headphones'
    ),
    'unitprice' => array(
        0 => '102.99',
        1 => '45.99'
    ),
    'rowid' => array(
        0 => '1',
        1 => '2'
    )
)

But I hope you don’t accept those values without validation or even use it for an actual order.

Additionally GET is intended to be used for data retrieval only:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval.

For requests with side effects (alteration of data on the server) you should use POST.

Gumbo 2009-08-03 13:12:27

Answer 4

+2 A:

watch out! someone could easily alter this and submit:

?FormSub=Submit&qty=1&partno=ipod&notes=apple&unitprice=0.99&rowid=1&qty=2&partno=Ear+Buds&notes=Headphones&unitprice=0.05&rowid=2

note: "unitprice" was 102.99 and 45.99, but have been changed to 0.99 and 0.05, I guess they are on sale now at a great price!

KM 2009-08-03 13:25:19

Good call! Amazon once had a hole in their code that wasn't too much more advanced than this. There were indeed some people that got some items at a great price.

Dinah 2009-08-03 13:27:43

Yeah, thanks for your concern - this is an intenal quoting system...not for Joe Public.....

2009-08-03 13:28:49

@Bifter, even if this is for "internal" usage, it is still isn't a very good way of doing it

KM 2009-08-03 13:40:19

Do validate everything. Malice isn't the only reason this kind of stuff can go wrong. Errant keystrokes, people bookmarking your page with this data in the GET string, and many other reasons can keep this from working as you intend. Users, especially non-tech savvy ones, have a weird way of making things happen that you never thought would.

Dinah 2009-08-03 13:45:30

some users will learn to navigate your application by editing the URL (they will find it is quicker than using the menus/screens), but this can cause issues if you don't code defensively

KM 2009-08-03 15:24:22

ansaurus

tags:

views:

answers:

loop through $_GET results

related questions