Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Trying to make a simple book catalog

0 views
Skip to first unread message

fishmon...@gmail.com

unread,
Feb 20, 2007, 8:20:49 PM2/20/07
to
Hi!
I'm a librarian with a little PHP knowledge.. I'm trying to make a
catalog from scratch for my library. I don't like the look of the
current catalog so I'm trying to make a custom PHP/MySQL
implementation.

I can do everything I need to do except, I don't completely understand
a detail. Ideally I could write this:

<a href="catalogrecord.php?recordnum=4">Tom Sawyer</a>

The idea would be to pass the number 4 to the catalogrecord.php page
when the hyperlink is clicked. Then it would know which number in the
catalog it should pull up and display on the next page. Is this
possible? And if so, how could I access the recordnum=4 on the next
php file?

Will

Klarth

unread,
Feb 20, 2007, 8:32:41 PM2/20/07
to
Yes, it is possible. There look for $_GET["recordnum"] in your
catalogrecord.php script.

Rik

unread,
Feb 20, 2007, 8:43:12 PM2/20/07
to

The question is a bit vague, but to get you started:

You say MySQL, so I assume that number 4 is an index in the database where
the records are stored? A list of links could be made by:

<?php
mysql_connect('hostname','username','password');//of you mysql db
mysql_select_db('catalogue');
$books = mysql_query('SELECT `id`, `name` FROM `book`');
while($book = mysql_fetch_assoc($books)){
print '<a
href="catalogrecord.php?recordnum='.$book['id'].'">'.$book['name'].'</a><br>';
}
?>

And the receiving script would do something like this:

<?php
$book_id = intval($_GET['recordnum']);
mysql_connect('hostname','username','password');//of you mysql db
mysql_select_db('catalogue');
$bookresult = mysql_query('SELECT * FROM `book` WHERE `id` = '.$book_id);
if(mysql_num_rows($bookresult) > 0){
$book = mysql_fetch_assoc($bookresult);
foreach($book as $key => $value){
print $key.':'.$value.'<br>';
}
} else {
echo 'Book not found in database.';
}
?>

--
Rik Wasmus

Richard

unread,
Feb 20, 2007, 9:45:10 PM2/20/07
to
"Klarth" <kah...@gmail.com> writes:

> Yes, it is possible. There look for $_GET["recordnum"] in your
> catalogrecord.php script.

Could someone explain to a noob the use of _get here and why not _post?

Jerry Stuckle

unread,
Feb 20, 2007, 9:57:32 PM2/20/07
to

Because he's passing it as part of the URL, so it's a GET request. A
POST request would come from a form with method=post.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstu...@attglobal.net
==================

Jerry Stuckle

unread,
Feb 20, 2007, 9:59:56 PM2/20/07
to

Oops - pressed send too quickly.

When the POST method is used, the parameters are not passed in the link
as part of the query string; rather they are passed by the browser out
of sight of the user.

Rik

unread,
Feb 20, 2007, 10:47:48 PM2/20/07
to
On Wed, 21 Feb 2007 03:59:56 +0100, Jerry Stuckle
<jstu...@attglobal.net> wrote:

> Richard wrote:
>> "Klarth" <kah...@gmail.com> writes:
>>
>>> Yes, it is possible. There look for $_GET["recordnum"] in your
>>> catalogrecord.php script.
>> Could someone explain to a noob the use of _get here and why not _post?
>
> Oops - pressed send too quickly.
>
> When the POST method is used, the parameters are not passed in the link
> as part of the query string; rather they are passed by the browser out
> of sight of the user.

Which on an 'open' site (this particular project seems to be local) would
have the advantage of being both bookmarkable (hmmmz, something doesn't
feel right about that word) and indexable by a search-engine.

--
Rik Wasmus

Jerry Stuckle

unread,
Feb 20, 2007, 11:03:18 PM2/20/07
to

Groan, Rik - was that on purpose? :-)

Peter Fox

unread,
Feb 21, 2007, 4:24:14 AM2/21/07
to

>
>And the receiving script would do something like this:
>
><?php
>$book_id = intval($_GET['recordnum']);
>mysql_connect('hostname','username','password');//of you mysql db
>mysql_select_db('catalogue');
>$bookresult = mysql_query('SELECT * FROM `book` WHERE `id` =
>'.$book_id);
>if(mysql_num_rows($bookresult) > 0){
> $book = mysql_fetch_assoc($bookresult);
> foreach($book as $key => $value){
> print $key.':'.$value.'<br>';
> }
>} else {
> echo 'Book not found in database.';
>}
>?>

Ask why


$book_id = intval($_GET['recordnum']);

is used early on in the script and is it there just to 'keep things
tidy'? What naughty things could happen if it was just
$book_id = $_GET['recordnum'];

Supplementary question: What would you do here if you were getting a
string instead of a number to use in your SQL?

Another supplementary question: Why would it be a _bad_ idea to 'be
helpful' with the 'not found' message by echoing back the input as
follows:
$recno = GET['recordnum'];
print("Sorry we could not find your request for $recno");


--
PETER FOX Not the same since the submarine business went under
pete...@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

Rik

unread,
Feb 21, 2007, 5:17:55 AM2/21/07
to
Peter Fox <pete...@eminent.demon.co.uk.not.this.bit.no.html> wrote:
>> And the receiving script would do something like this:
>>
>> <?php
>> $book_id = intval($_GET['recordnum']);

>> $bookresult = mysql_query('SELECT * FROM `book` WHERE `id` =


>> '.$book_id);
>> if(mysql_num_rows($bookresult) > 0){
>> $book = mysql_fetch_assoc($bookresult);

//


>> }
>> } else {
>> echo 'Book not found in database.';
>> }
>> ?>
>
> Ask why
> $book_id = intval($_GET['recordnum']);
> is used early on in the script and is it there just to 'keep things
> tidy'? What naughty things could happen if it was just
> $book_id = $_GET['recordnum'];

Google SQL injection.

> Supplementary question: What would you do here if you were getting a
> string instead of a number to use in your SQL?

If possible prepared statements, else mysql_real_escape_string();

> Another supplementary question: Why would it be a _bad_ idea to 'be
> helpful' with the 'not found' message by echoing back the input as
> follows:
> $recno = GET['recordnum'];
> print("Sorry we could not find your request for $recno");

Because it could containt evil code. I think you know the answers to these
already :P. It's far beyond the scope of the question to go in great
detail about security and database handling, as it was local, I was only
offering a starting point.


--
Rik Wasmus

Rik

unread,
Feb 21, 2007, 5:38:34 AM2/21/07
to
Hmmmz, it was indeed very late, because this was still in the outbox this
morning:

Jerry Stuckle <jstu...@attglobal.net> wrote:


> Rik wrote:
>>> When the POST method is used, the parameters are not passed in the
>>> link as part of the query string; rather they are passed by the
>>> browser out of sight of the user.
>>
>> Which on an 'open' site (this particular project seems to be local)
>> would have the advantage of being both bookmarkable (hmmmz, something
>> doesn't feel right about that word) and indexable by a search-engine.
>

> Groan, Rik - was that on purpose? :-)

Hmmmz, it's very, very late. I'd swear I was typing something about GET
before it.... Offcourse the advantages I mentioned are of a GET request :P.

Off to bed now, before I squander my credibility any further...
--
Rik Wasmus

Peter Fox

unread,
Feb 21, 2007, 5:48:03 AM2/21/07
to
Following on from Rik's message. . .

>
>Because it could containt evil code. I think you know the answers to these
>already :P. It's far beyond the scope of the question to go in great
>detail about security and database handling, as it was local, I was only
>offering a starting point.

Sorry Rik I didn't mean to question your code, in fact the very opposite
- A very good starting point it is too. An excellent and concise
starting point for three important questions everyone should know the
answers to.

0 new messages