tags:

views:

170

answers:

2

if you take a look at a previous question

http://stackoverflow.com/questions/2690742/mod-rewrite-title-slugs-and-htaccess

I am using the solution that Col. Shrapnel proposed- but when i assign values to $_GET in the actual file and not from a request the code doesnt work. It defaults away from the file as if the $_GET variables are not set

The code I have come up with is-

if(!empty($_GET['cat'])){

    $_GET['target'] = "category";


    if(isset($_GET['page'])){

        $_GET['pageID'] = $_GET['page'];

    }

    $URL_query = "SELECT category_id FROM cats WHERE slug = '".$_GET['cat']."';";
    $URL_result = mysql_query($URL_query);
    $URL_array = mysql_fetch_array($URL_result);

    $_GET['category_id'] = $URL_array['category_id'];



}elseif($_GET['product']){

    $_GET['target'] = "product";


    $URL_query = "SELECT product_id FROM products WHERE slug = '".$_GET['product']."';";
    $URL_result = mysql_query($URL_query);

    $URL_array = mysql_fetch_array($URL_result);
    print_r($URL_array);

    $_GET['product_id'] = $URL_array['product_id']; 

The original variable string that im trying to represent is

/cart.php?Target=product&product_id=16142&category_id=249

And i'm trying to build the query string variables with code and including cart.php so i can use cleaner URL's

So I have product/product-title-with-clean-url/ going to slug.php?product=slug

Then the slug searches the db for a record with the matching slug and returns the product_id as in the code above.Then built the query string and include cart.php

+1  A: 

Many things wrong with this code.

1 I consider it bad form to set GET variables like that

2 It appears as if only about 6 lines of your code is actually being used.

$_GET['target'] = "category";

Isn't used, along with a bunch of other stuff.

3 Youre asking to get SQL injected here:

$URL_query = "SELECT category_id FROM cats WHERE slug = '".$_GET['cat']."';";

if $_GET['cat'] is

'';delete * from cats

then your query is

SELECT category_id FROM cats WHERE slug = '';delete * from cats;

And all your cats are gone

use mysql_real_escape_string() if you must use the mysql_ functions

As for your actual problem. What isn't working? are you getting an error? We need more info

Galen
nothing to do with the problem.
chris
Basically how do you overwrite $_GET variables?
chris
If you actually read my answer you'd see that i asked you at the end about your problem. This was before you editetd your question and added more information.
Galen
you don't "overwrite" get variables. you send the visitor to a new page with get variables added to the url.
Galen
i overwrote the $_REQUEST variables, i shouldnt have posted the code it just confused you guys- the code which im editing used $_REQUEST for get vars instead of $_GET
chris
+1  A: 

Ok, your code will never work. Given your query of

/cart.php?Target=product&product_id=16142&category_id=249

your $_GET will be populated as follows:

$_GET = array(
    'Target' => 'product',
    'product_id' => 16142,
    'category_id' => 249
)

You then use the following structure:

if(!empty($_GET['cat'])){
   ... stuff part 1...
}elseif($_GET['product']){
   ... stuff part 2...
  1. There is no 'cat' parameter in your query (and therefore will not be in $_GET either), so empty() returns true, is negated, and therefore the "stuff part 1" never executes.
  2. There is no 'product' parameter in your query (and therefore will not be in $_GET either), so the elseif is false and therefore doesn't execute the 'stuff part 2' section either.

As for your comment about overwriting $_GET variables, you just assign a new value to it. But that's the wrong way of going about it. $_GET (and its cousins $_POST, and $_REQUEST) should never be overwritten. They SHOULD be treated as read-only arrays.

It may be ok in your application to do so, but consider that GET/POST/REQUEST are not the only places that data can be retrieved. Perhaps some module/library you're using accesses HTTP_QUERY_VARS (which is deprecated), or $_SERVER['QUERY_STRING'] or _$SERVER['REQUEST_URI']. They all basically contain the same info, but are stored seperately internally in PHP. If you modify $_GET, and then a library retrieves its own copies of the query variables from one of the alternate locations, it will get something completely different from the value you just overwrote, because you only overwrote it one place. Remember, those magical arrays are created by PHP before your code executes, and then are never touched again by PHP's internals. Try the following:

testscript.php?yo=dude:

<?
echo '<pre>';

echo "Before:\n";
echo "GET yo: ", $_GET['yo'], "\n";
echo "REQUEST yo: ", $_REQUEST['yo'], "\n";

$_GET['yo'] = "haha, it's not the same anymore";

echo "after:\n";
echo "GET yo: ", $_GET['yo'], "\n";
echo "REQUEST yo: ", $_REQUEST['yo'], "\n";

put it in a script, fire it up in a browser. This is what you'll get:

Before:
GET yo: dude
REQUEST yo: dude
after:
GET yo: haha, it's not the same anymore
REQUEST yo: dude

Notice that _REQUEST has not auto-updated with your new value. Now you've got inconsistent data, and that could potentially completely break your application.

Marc B