tags:

views:

278

answers:

3
Q: 

modifying a php sql query to take an ajax paramter

Hello,

I have this code:

<?php
session_start();
if (isset($_GET["cmd"]))
  $cmd = $_GET["cmd"];
else
  die("You should have a 'cmd' parameter in your URL");
$con = mysql_connect("localhost","xxx","xxx");
if(!$con)
{
die('Connection failed because of' .mysql_error());
}
mysql_select_db("ebay",$con);
if($cmd=="GetAuctionData")
{
echo "<table border='1' width='100%'>
<tr>
<th>Seller ID</th>
<th>Start Date</th>
<th>Description</th>
</tr>";
$sql="SELECT * FROM Auctions WHERE ACCESSSTARTS='8.7.2008 17:18:37'";
$result = mysql_query($sql);
while ($row = mysql_fetch_array($result))
{
echo "<tr>
<td>".$row['SELLER_ID']."</td>
<td>".$row['ACCESSSTARTS']."</td>
<td>".$row['ARTICLE_NAME']."</td>
</tr>";
}
echo "</table>";
}
mysql_close($con);
?>

Which is called from ajax javascript file, which in turn is called from the main page. I would like to know how to modify this to take a paramater, so instead of hard coding in $sql, it would return he record that was clicked on. If I click on a record in the main page it will pass the primary key to this code and perform the relevant query.

Please do not suggest a framework, as it is not the answer I am looking for, and would like to know how to write what I want regardless.

+3  A: 

The quickest, simplest way to do this is like this:

$sql = "SELECT * FROM Auctions WHERE id = " . (int)$_GET['auction_id'];

The (int) part casts the string from the url to an integer so you're safe from SQL injection. The worst that can happen is it will come out "id = 0" and you'll get no results.

Greg  2008-11-24 11:56:59
Hi Roborg,Thakyou for your reply. Would I have to add something to the javascript function and main page as well?
Joshxtothe4  2008-11-24 12:04:03
Greg  2008-11-24 12:10:22
sorry, I mean how would I pass this to javascript so it can be passed to this php code?
Joshxtothe4  2008-11-24 12:13:12
It depends how the rest of your code works... I guess you have a list of auctions in a table, and something like <a href="" onclick="getAuctionData(); return false;"> - you'll need to add the ID as a paramter, like onclick="getAuctionData(<?=$auctionId;?>); return false;"
Greg  2008-11-24 12:20:12
Do you know why my question was voted down so much?
Joshxtothe4  2008-11-24 13:32:31
A: 

You just want something like

if (!$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT)) {
    die('Id is not a valid integer');
}
$sql="SELECT * FROM Auctions WHERE auction_id = $id";
OIS  2008-11-24 12:00:16
+2  A: 

Calls from your AJAX libraries are the same as any other page load, as far as PHP is concerned. So you get parameters the same way you would for any other page: $_POST, $_GET, or $_REQUEST. ALWAYS check your inputs to make sure they are the type you think they are. In this case either force it to int with (int), or use is_numeric($input) depending on what you want to do with failure, and your style.

Something like:

$input = $_REQUEST['AuctionID'];
if (!is_numeric($input) ) {
    $input = 0;
    // Do something smart to report the error...
}
$sql="SELECT * FROM Auctions WHERE AUCtionID=$input";

Also, get your SQL and your HTML separated so they are easier to work on independently. Start fighting bad habits today.

acrosman  2008-11-24 12:03:55
What is the bestway to separate sql and html? How would I pass $inputID to the javascript, so it can be passed to this php code in turn?
Joshxtothe4  2008-11-24 12:14:26
acrosman  2008-11-24 12:27:13
Thanks.My entire project at the moment is here: http://www.nomorepasting.com/getpaste.php?pasteid=22158, http://www.nomorepasting.com/getpaste.php?pasteid=22159, http://www.nomorepasting.com/getpaste.php?pasteid=22160but I am unsure how to modify the other two files to actually pass it
Joshxtothe4  2008-11-24 12:38:44

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL