php url parameters

Question

I am working on my website, and I am trying to get the url parameter "page" which is an integer that tells which entry to read in the MySQL database that hols the HTML for all the pages. Here is my code, with the MySQL username and password removed for security reasons:

  if ($_GET["page"]) {
  $con = mysql_connect("localhost","username","password");
  if (!$con)
  {
    die('Could not connect: ' . mysql_error());
  }
  mysql_select_db("jmurano_pages", $con);
  $title=mysql_query("SELECT title FROM pageContent WHERE pageID=" . $_GET['page']);
  echo "<title>" . $title . "</title>\n";
  echo "</head>\n";
  echo "<body>\n";
  $content = mysql_query("SELECT content FROM pageContent WHERE pageID=" . $_GET['page']);
  echo $content;
  echo "\n</body>\n</html>";
}

This puts the title as "Resource id #2" and the content as "Resource id #3". I can't think of what I may have done wrong.

Answer 1

You should read the manual http://de.php.net/mysql_query

Return Values

For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.

For other type of SQL statements, INSERT, UPDATE, DELETE, DROP, etc, mysql_query() returns TRUE on success or FALSE on error.

The returned result resource should be passed to mysql_fetch_array(), and other functions for dealing with result tables, to access the returned data.

Answer 2

Also, you have a SQL Injection vulnerability... never put $_GET, $_POST or other user-supplied variables directly into queries.

You should do:

$page = $_GET["page"];
$escaped_page = mysql_real_escape_string($page);

and put $escaped_page into your query.

Answer 3

I'm still confused. I'm a complete PHP newbie. What exactly do I need to do to access the content and title?

Answer 4

Apart from the injection vulnerability (see John's answer) you should get the title from the mysql_query using

 $res = mysql_query("SELECT title FROM pageContent WHERE pageID=" . $escapedpage);
 $title = mysql_fetch_assoc($res);
 $title = $title['title']
 $res2 = mysql_query("SELECT content FROM pageContent WHERE pageID=" . $escapedpage);
 $content = mysql_fetch_assoc($res2);
 $content = $content['content'];

However I think it would be wise if you would follow an online mysql php tutorial.

EDIT
even better would be to just use 1 mysql_query like so:

$res = mysql_query("SELECT title, content FROM pageContent WHERE pageID=" . $escapedpage);
$row = mysql_fetch_assoc($res);
$title = $row['title'];
$content = $row['content'];

That would save your script time and resources since there is only need for one mysql query.
This tutorial is rather good: http://www.freewebmasterhelp.com/tutorials/phpmysql

Answer 5

Here's some psuedo code.

$result = mysql_query($sql);

//for each row in the result, do stuff with it...
while ($row = mysql_fetch_array($result)){
  $title = $row["title"];
  $content = $row["content"];

  //this will show you the row data visually
  //var_dump($row);
}

As a PHP newb, learn to debug (use var_dump if necessary), read documentation, and read tutorials.

Also, there are a massive amount of php + mysql tutorials online... google "php and mysql"

Good luck!

Answer 6

One more thing.. you can select both title and content in one query:

SELECT title, content FROM ....

Answer 7

You've obviously got a lot to learn (we all had to start somewhere!), so a single answer on SO won't be able to teach you everything, but here's a starter:

When you run mysql_query on a SELECT query, it will return one of two things:

• if there was an error in your query, it will return false.
  • Details about this error are available by calling mysql_error()
• if the query was fine it will return a resource
  • Using this resource, you can call other mysql functions to find out information about the dataset you've just created with your SELECT.
  • mysql_fetch_assoc() will return an associative array of ONE row from your query.
    • Do this to see: $row = mysql_fetch_assoc($resource); print_r($row);
  • Call it again to retrieve the next row.
  • When there's no more rows, mysql_fetch_assoc() will return false.
    • Therefore you can write loops like this:
      while ($row = mysql_fetch_assoc($resource)) { // do stuff }

Answer 8

You should retrieve both fields in one query as that will probably faster. Also assuming pageID is always an integer you should first cast that to an integer to prevent SQL injection. I would use something like:

<?php
if (isset($_GET["page"])) {
    $con = mysql_connect("localhost","username","password");
    if (!$con) {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db("jmurano_pages", $con);

    $pageId = (int) $_GET['page'];

    $result = mysql_query('SELECT title, content FROM pageContent WHERE pageID= ' . $pageId);

    if (!$result) {
        die(mysql_error());
    }

    $row = mysql_fetch_assoc($result);

    if (!$row) {
        die('page not found');
    }

    echo "<title>" . $row['title'] . "</title>\n";
    echo "</head>\n";
    echo "<body>\n";
    echo $row['content'];
    echo "\n</body>\n</html>";

} else{ 
    //what are you going to do if page is not passed?
}
?>

Note that

• You may want to put your database connection code into a separate place so you don't have to copy it onto several pages
• You should probably read about SQL injection, and some methods of how to keep HTML and PHP (presentation and logic) separate otherwise you may end up with very messy code