tags:

views:

45

answers:

2
Q: 

To generate a question for a given user in PostgreSQL by PHP

I have a list of URLs in my homepage which is like SO in the following form

<a href="?questions&questions=777">link1</a>
<a href="?questions&questions=666">link2</a>

The following PHP script has a problem in the parameter of $_GET.

 $dbconn = pg_connect("host=localhost port=5432 dbname=masi user=masi password=123");
 // A QUESTION SELECTED BY USER 
 // to generate the answers for the given question 
     $result = pg_prepare($dbconn, "query9", "SELECT title, answer
         FROM answers 
         WHERE questions_question_id = $1;");            // WARNINGS refer HERE
     // TODO I am not sure if the syntax is correct for parametr inside $_GET                             
     $result = pg_execute($dbconn, "query9", array($_GET["'question_id' = $questions_question_id"]));
           // Problem HERE inside the $_GET

Thank you to Nos and Jikhan for solving the problem with $dbconn and to Simon for solving the main problem of this thread!

How can you get only the question_id from the URL such that Postgres understand the query?

+4  A: 

It seems that the problem is not the query but the connection to the database (dbconn)

Jikhan  2009-08-08 19:26:52
This problem is now solved.
Masi  2009-08-08 20:44:48
+1  A: 

Your $_GET statement also looks rather strange. I don't know what the point of repeating 'questions' in your link is but if we assume your links are formatted as so:

<a href="?questions=777">link1</a>

You can get access to the ID 777 as so:

$question_id = $_GET['questions'];

I believe pg_execute() just expects the array of values in the order you write them in the prepare statement. So you don't need to try to assign the variable $questions_question_id - this simply won't work.

I'd also ensure this contains what you expect it to (i.e. just an ID number).

$question_id = filter_input(INPUT_GET, 'questions', FILTER_SANITIZE_NUMBER_INT);

The filter family of functions are available in PHP 5.2 and get rid of any unwanted characters. See http://uk2.php.net/manual/en/function.filter-input.php

filter_input() returns null if the GET variable isn't set.

simonrjones  2009-08-08 20:29:37
**Do you need the explicit sanitizing, since we use `pg_prepare`?** I feel that `pg_prepare` sanitizes the input automatically.
Masi  2009-08-08 20:43:58
sanitizing will only remove dangerous characters such as semi-colons. It won't guarantee the ID variable is actually a number. For security you still need to ensure the ID is just an integer. It's always worth filtering incoming variables and preparing all SQL!
simonrjones  2009-08-09 06:42:52

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases