...

View Full Version : dynamic urls



robojob
09-13-2005, 08:29 AM
hi,

i have a profiles page that lists all the usernames in my database.

the usernames in the list are linked to a page called profile.php. i want to be able to setup the link so that it would look something like profile.php?username=username(this being the name of the user that is shown). This is simple enough and i can do this. the part i am stuck with is the querying the database. not quite sure how to construct the page to filter and show the profile of just that one user. can anyone help me out?

Thanks.

webby
09-13-2005, 09:19 AM
When you run your query to get the list of usernames, SELECT everything you will want to display on the profile page. Then you can use $_GET to pull info of the user that is associated with your link.

if(isset($_GET['id'])) { // or ['username']

$title = $username."'s Profile";
// whatever else you want to show on profile

}
There may be other (or even better) ways, but this is the method I know.

Nightfire
09-13-2005, 10:12 AM
Need security checks on this.



<?php
if(isset($_GET['username'])){
$str = 'SELECT username, address,etc,etc FROM table WHERE username="'.$_GET['username'].'"';
$result = mysql_query($str) or die("Mysql Error: ".mysql_error);

while($row = mysql_fetch_array($result)){
echo $row['username'] . $row['address'] . $row['etc'];
}
}
?>

robojob
09-13-2005, 01:02 PM
thanks for the reply. i will try that out tonight. so i assume that

if(isset($_GET['username'])){

is getting the username from the url variable. is that right?

then the rest of the code is getting what ever fields from the database that i want to display related to that username?

Fou-Lu
09-13-2005, 03:21 PM
Yes, that is correct.
script.php?username=Fou-Lu for instance, the $_GET['username'] contains the value of Fou-Lu.
Now, nightfires missing something very important as well, mysql_real_escape_string:


<?php
if(isset($_GET['username'])){
$query = "SELECT username, address,etc,etc FROM table WHERE username='" . mysql_real_escape_string($_GET['username']) . "'";
$result = mysql_query($query) or die("Mysql Error: ".mysql_error);

while($row = mysql_fetch_array($result)){
echo $row['username'] . $row['address'] . $row['etc'];
}
}
?>

This will help to prevent the use of sql-injections on your query.

Nightfire
09-13-2005, 07:31 PM
Was in a rush, so just skipped all the security stuff and just did a basic script :)

Fou-Lu
09-13-2005, 07:37 PM
No worries, figured you were hurried with the etc,etc field names ;)
I hear you there, we could all go on for hours of how to create 'ultimate' security, but it would take the 7 lines of code we have here to like, 30, lol.

I'm just too anal about a few things, specifically superglobals and (to a lesser degree, but still at least as important) mysql_real_escape_string().
Nothing bothers me more than those whom rely on register_globals or use $HTTP_*_VARS and wonder why their functions don't work correctly. Lol, methinks being an Auditor makes me a little picky on the details eh ;)

webby
09-13-2005, 07:59 PM
Details are good, fou-lu. :) I'll be adding these security checks to my own current project, thanks to you and Nightfire. :thumbsup:

missing-score
09-13-2005, 08:42 PM
I'm just too anal about a few things, specifically superglobals and (to a lesser degree, but still at least as important) mysql_real_escape_string().
Nothing bothers me more than those whom rely on register_globals or use $HTTP_*_VARS and wonder why their functions don't work correctly. Lol, methinks being an Auditor makes me a little picky on the details eh ;)

It isnt a bad thing! Especially not the mysql_real_escape_string() bit... Superglobals I can deal with but usually try and make sure everyone understands that is (well should be) a thing of the past.

The main thing i keep trying to push is that before posting try putting error_reporting(E_ALL); at the top of your script, or make sure error reporting is set to maximum, becuase most errors can be worked out from this.

Anyway, my point in posting is that you are using a while loop when you dont actually need it... It would be better to use the following:



<?php
if(isset($_GET['username'])){
$query = "SELECT username, address,etc,etc FROM table WHERE username='" . mysql_real_escape_string($_GET['username']) . "'";
$result = mysql_query($query) or die("Mysql Error: ".mysql_error);

if($row = mysql_fetch_array($result)){
echo $row['username'] . $row['address'] . $row['etc'];
}
else
{
echo 'User not found in database.';
}
}
?>



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum