Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9

Thread: dynamic urls

  1. #1
    Regular Coder
    Join Date
    Jul 2005
    Location
    Oxfordshire, UK
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts

    dynamic urls

    hi,

    i have a profiles page that lists all the usernames in my database.

    the usernames in the list are linked to a page called profile.php. i want to be able to setup the link so that it would look something like profile.php?username=username(this being the name of the user that is shown). This is simple enough and i can do this. the part i am stuck with is the querying the database. not quite sure how to construct the page to filter and show the profile of just that one user. can anyone help me out?

    Thanks.

  • #2
    New Coder
    Join Date
    Aug 2005
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    When you run your query to get the list of usernames, SELECT everything you will want to display on the profile page. Then you can use $_GET to pull info of the user that is associated with your link.
    PHP Code:
    if(isset($_GET['id'])) { // or ['username']

    $title $username."'s Profile";
    // whatever else you want to show on profile


    There may be other (or even better) ways, but this is the method I know.

  • #3
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    Need security checks on this.

    PHP Code:
    <?php
    if(isset($_GET['username'])){
        
    $str 'SELECT username, address,etc,etc FROM table WHERE username="'.$_GET['username'].'"';
        
    $result mysql_query($str) or die("Mysql Error: ".mysql_error);

        while(
    $row mysql_fetch_array($result)){
            echo 
    $row['username'] . $row['address'] . $row['etc'];
        }
    }
    ?>

  • #4
    Regular Coder
    Join Date
    Jul 2005
    Location
    Oxfordshire, UK
    Posts
    144
    Thanks
    0
    Thanked 0 Times in 0 Posts
    thanks for the reply. i will try that out tonight. so i assume that

    if(isset($_GET['username'])){

    is getting the username from the url variable. is that right?

    then the rest of the code is getting what ever fields from the database that i want to display related to that username?

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Yes, that is correct.
    script.php?username=Fou-Lu for instance, the $_GET['username'] contains the value of Fou-Lu.
    Now, nightfires missing something very important as well, mysql_real_escape_string:
    PHP Code:
    <?php 
    if(isset($_GET['username'])){ 
        
    $query "SELECT username, address,etc,etc FROM table WHERE username='" mysql_real_escape_string($_GET['username']) . "'"
        
    $result mysql_query($query) or die("Mysql Error: ".mysql_error); 

        while(
    $row mysql_fetch_array($result)){ 
            echo 
    $row['username'] . $row['address'] . $row['etc']; 
        } 

    ?>
    This will help to prevent the use of sql-injections on your query.

  • #6
    Senior Coder Nightfire's Avatar
    Join Date
    Jun 2002
    Posts
    4,265
    Thanks
    6
    Thanked 48 Times in 48 Posts
    Was in a rush, so just skipped all the security stuff and just did a basic script

  • #7
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    No worries, figured you were hurried with the etc,etc field names
    I hear you there, we could all go on for hours of how to create 'ultimate' security, but it would take the 7 lines of code we have here to like, 30, lol.

    I'm just too anal about a few things, specifically superglobals and (to a lesser degree, but still at least as important) mysql_real_escape_string().
    Nothing bothers me more than those whom rely on register_globals or use $HTTP_*_VARS and wonder why their functions don't work correctly. Lol, methinks being an Auditor makes me a little picky on the details eh
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #8
    New Coder
    Join Date
    Aug 2005
    Posts
    47
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Details are good, fou-lu. I'll be adding these security checks to my own current project, thanks to you and Nightfire.

  • #9
    Senior Coder missing-score's Avatar
    Join Date
    Jan 2003
    Location
    UK
    Posts
    2,194
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fou-Lu
    I'm just too anal about a few things, specifically superglobals and (to a lesser degree, but still at least as important) mysql_real_escape_string().
    Nothing bothers me more than those whom rely on register_globals or use $HTTP_*_VARS and wonder why their functions don't work correctly. Lol, methinks being an Auditor makes me a little picky on the details eh
    It isnt a bad thing! Especially not the mysql_real_escape_string() bit... Superglobals I can deal with but usually try and make sure everyone understands that is (well should be) a thing of the past.

    The main thing i keep trying to push is that before posting try putting error_reporting(E_ALL); at the top of your script, or make sure error reporting is set to maximum, becuase most errors can be worked out from this.

    Anyway, my point in posting is that you are using a while loop when you dont actually need it... It would be better to use the following:

    PHP Code:
    <?php 
    if(isset($_GET['username'])){ 
        
    $query "SELECT username, address,etc,etc FROM table WHERE username='" mysql_real_escape_string($_GET['username']) . "'"
        
    $result mysql_query($query) or die("Mysql Error: ".mysql_error); 

        if(
    $row mysql_fetch_array($result)){ 
            echo 
    $row['username'] . $row['address'] . $row['etc']; 
        }
        else
        {
            echo 
    'User not found in database.';
        }

    ?>


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •