Displaying name instead of ID PHP MySQL

Question

Hi, I need something simple; I have page where a user clicks an author to see the books associated with that author. On my page displaying the list of books for the author, I want a simple HTML title saying: 'The books for: AUTHORNAME'

I can get the page to display author ID but not the name. When the user clicks the link in the previous page of the author, it looks likes this:

<a href="viewauthorbooks.php?author_id=<?php echo $row['author_id']?>"><?php echo $row['authorname']?></a>

And then on the 'viewauthorbooks.php?author_id=23' I have declared this at the start:

$author_id = $_GET['author_id']; $authorname = $_GET['authorname'];

And finally, 'The books for: AUTHORNAME, where it says AUTHORNAME, I have this:

echo $authorname

(With PHP tags, buts its not letting me put them in!) And this doesnt show anything, however if I change it to author_id, it displays the correct author ID that has been clicked, but its not exactly user friendly!! Can anyone help me out!

Answer 1

You don't send it in the query string, thus you can't get it from the $_GET array.
Just request it from the database using id.

An important note: Always use htmlspacialchars() when you display the data, coming from the client side.

Answer 2

Author name won't be in $_GET. As your code stands, you only use it as the link title. It is no where in the address. Try this instead:

<a href="viewauthorbooks.php?author_id=<?php echo $row['author_id']?>&authorname=<?php echo $row['authorname']?>"><?php echo $row['authorname']?></a>

It would be better to re-request it from the database using the author_id though.

EDIT:

To explain the problem in more detail. You have two pages, the new.php page and the viewauthorbooks.php page. You're sending users from the new page to the view page using the link you posted, right?

The problem with that is, your link assigns one variable in get. Here's the query string it would generate:

viewauthorbooks.php?author_id=13

What that will do is send the user to viewauthorbooks and place the value '13' in the $_GET variable: $_GET['author_id']. That is why the author_id is there and displays on viewauthorbooks. However, authorname is never passed to viewauthorbooks, it isn't in $_GET['authorname'] because you never set $_GET['authorname']. If you want it to be in $_GET, then you need your query string to look like this:

viewauthorbooks.php?author_id=13&authorname=bob

You can accomplish that using the new HTML code for the link I posted above. Look at it closely, there's a key difference from the one you have now.

However, it is generally discouraged to pass data through GET, because the query string is displayed to the user and it leaves you open to injection attacks. A better way to do this would be to use the author_id you are already passing to viewauthorbooks.php to retrieve the authorname from the database again. You can use the same code you used on the new.php page.

Answer 3

This is because you do not define the author name in your get.

You should make the following your url:

<a href="viewauthorbooks.php?author_id=<?php echo $row['author_id']?>&authorname=<?php echo $row['authorname']?>"><?php echo $row['authorname']?></a>

Or rather select the data from the database again, on the new page, using the ID you retrieved from the URI.

Answer 4

You could pull the author_id from the query string as you did using $_GET but beware you will need to validate what is coming through by the query. I hope you can see that without validation how bad of a security hole this is.

I am at work at the moment, but this is a quick example that should give you what you need without sanitizing your query.

$id = intval($_GET['author_id']); 
// of course, perform more validation checks
// just don't assume its safe.
$sql = "SELECT authorname FROM authors_tb WHERE author_id=" . $id;
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)) {
   echo "The books for: " . $row['authorname'];
 }

The reason why your approach wasn't working was because you utilize the $_GET URL parameter passing for author_name where you weren't supplying the parameters in the URL, just the author_id.