We Keep Coding

How to Use PHP to Retrieve MySQL IDs With Leading Zeros

I set up a new MySQL database and created some PHP Web pages. The IDs for each entry are composed of three digits and have leading zeros (e.g., 000, 001, 002).
My main page that shows every ID as a separate row in an HTML table works fine -- it displays every entry. But my individual entry page is not returning specific entries. For example, the URL entry.php?id=001 and entry.php?id=002 returns the entry for every ID.
I believe the error is at the beginning of the entry.php code, which looks like this:
$query = 'SELECT * FROM databasetablename';
if (isset($_GET['id']) && is_numeric($_GET['id']))
{
$query .= ' WHERE id = ' . (int)$_GET['id'];
}
$result = mysql_query($query);
while($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
... and the code goes on. But I think the error is in this part.

You are casting $_GET['id'] as int after which $_GET['id'] is now = 1

I assume page IDs in database are not of a numeric type, but of CHAR/VARCHAR/TEXT. In this case you should try this:
$query = 'SELECT * FROM databasetablename';
if (isset($_GET['id']) && is_numeric($_GET['id']))
{
$query .= ' WHERE CAST(id AS INTEGER) = ' . (int)$_GET['id'];
}
$result = mysql_query($query);
As a side note: consider using PDO with parameter binding instead of building queries directly from request parameters. This would be extremely dangerous:
$query = ' WHERE CAST(id AS INTEGER) = ' . $_GET['id'];
EDIT: You could also try using mysql_real_escape_string():
$query .= ' WHERE id = ' . mysql_real_escape_string($_GET['id']);
but in this case you should read the security warning about character sets here: http://php.net/manual/en/function.mysql-real-escape-string.php
EDIT2: Sorry, I cannot write comments at the moment, but since you said that it returns every entry it could only mean that the WHERE condition is not added. Check if you actually receive the "id" request parameter in entry.php by using var_dump($_GET).

PHP Retrieving Data From MySQL After Modifying URL Parameter

I'm building a webpage that retrives data depending on a URL parameter.
There are two possible parameters.
1: id which is retrieved using $_GET['id']
2: name which is retrieved using $_GET['name']
When I am retrieving data using the id parameter it works like a charm since id is always a numerical value and never alphabetical text.
But when attempting to retrieve data using the name parameter I get no results.
The name parameter is checking the database for an article with the articles title being the parameter.
For example the name parameter in a URL would look like so:
http://example.com/safetyarticles/view.php?name=9-clues-to-solving-this-parameter-issue
And in the database the articles name would be: 9 Clues To Solving This Parameter Issue
I've already written some lines to remove the dashes in my url parameter to spaces and then capitalize each word to match the article name, but I'm not getting any results.
This is the code I have written:
$conn = getConnected("safetyArticles");
if(isset($_GET['id'])) {
$articleID = $_GET['id'];
$articleQuery = mysqli_query($conn, "SELECT * FROM currentArticles WHERE article_id = $articleID");
$article = mysqli_fetch_array($articleQuery);
}
else if(isset($_GET['name'])) {
$articleName = $_GET['name'];
$articleName = preg_replace("/[\-]/", " ", $articleName); // Replace dashes in URL parameter with spaces
$articleName = ucwords($articleName); // Uppercase first letter of each word of URL parameter
$articleQuery = mysqli_query($conn, "SELECT * FROM currentArticles WHERE article_name = $articleName");
$article = mysqli_fetch_array($articleQuery);
}
To my knowledge replacing the dashes with spaces and capitalizing each word should make the article_name in the database and $articleName match.
I did add a line of echo $articleName just to see what the output was and the result was 9 Clues To Solving The Mystery Of The Pilot Car which matches the title in the database but the results are not being pulled.
I copied this directly out of the database just to show that the titles are indeed the same: 9 Clues To Solving The Mystery Of The Pilot Car.
I'm at a loss since everything is matching up as it should.

you need '' around the variables in the query:eg '$articleName':
$articleQuery = mysqli_query($conn, "SELECT * FROM currentArticles WHERE article_name = '$articleName'");

$articleName in your query needs to be quoted like this : '$articleName'. eg
$articleQuery = mysqli_query($conn, "SELECT * FROM currentArticles WHERE article_name = '$articleName'");

Is Flexigrid wildcard search possible in the "quick search"?

Flexigrid is a nice jQuery grid, and pretty customizable, but the quick search feature only allows for exact searches (as far as I can tell). Anybody know a fix or workaround for this? I've tried adding wildcard characters to the "p.query" string, but no luck.
FYI: This is for use with a MySQL database and PHP, so the wildcard I tried to add was '%'.
Here's the "doSearch" function in the flexigrid.js:
doSearch: function () {
p.query = $('input[name=q]', g.sDiv).val();
p.qtype = $('select[name=qtype]', g.sDiv).val();
p.newp = 1;
this.populate();
},
Thanks for the help!

The best answer I could devise on my own was changing the SQL query on the PHP side to have a LIKE clause instead of an EQUAL TO clause, using the appropriate wildcard character "%".
I was hoping to find a javascript/jQuery wildcard on the client end that would be appended to the search string, but my search didn't turn up any answers for that.
The line I changed in the PHP script is as follows:
$searchSql = ($qtype != '' && $query != '') ? "where $qtype like CONCAT('%','$query','%') and UserID = $id" : "where UserID = $id";
instead of:
$searchSql = ($qtype != '' && $query != '') ? "where $qtype = '$query' and UserID = $id" : "where UserID = $id";
Best of luck!

How to get url ID in PHP? (for mysql_query UPDATE)

I want to add an edit button for a script called spiral url, but the problem is that I can't get the URL id. This is what I've tried:
/** get url id **/
$id = isset($_GET['id']) ? $_GET['id'] : '';
#mysql_query("UPDATE short_urls SET long_url = 'test' WHERE url_id = '".$id."' LIMIT 1");
What am I doing wrong?
Also I emailed the author and his response:
"I recommend you post on Stackoverflow - https://stackoverflow.com/.
I would love to help you but I don't see what you are doing wrong. I'm still learning PHP as well."

You're wide open to SQL injection attacks.
You're supressing errors with the # operator. NEVER suppress errors
You're not checking the return value of mysql_query(), which returns a boolean FALSE on failure.
Scrap that code and use this:
if (!isset($_GET['id'])) {
die("missing query parameter");
}
$id = intval($_GET['id']);
if ($id === '') {
die("Invalid query parameter");
}
$sql = "UPDATE short_urls SET long_url = 'test' WHERE url_id=$id LIMIT 1";
$result = mysql_query($sql);
if ($result === FALSE) {
die("Mysql error: " . mysql_error() . $sql);
}
Note that I'm assuming that the id parameter is numeric. If it's not, then remove the intval() stuff.

Make sure the value of $_GET['id'] actually has a value. Your URL will look something like http://myurl.com/index.phtml?id=yourvalue. You can do this by doing a:
print "id=".$_GET['id'];
Also, whenever doing a query, please be sure to escape any and all variables that can be manipulated by the user. Without doing this, you're opening yourself up to SQL injection attacks.
mysql_real_escape_string - http://php.net/manual/en/function.mysql-real-escape-string.php
#mysql_query("UPDATE short_urls SET long_url = 'test' WHERE url_id = '".mysql_real_escape_string($id)."' LIMIT 1");

If the url is like this: domain.com/something.php?id=65
$_GET['id'] should be equal to 65
if there is no id there then when you try to access $_GET['id'] you will get an error.
Also try removing the # symbol (that suppresses PHP warning).
And you are waaaay open to bobby-tables
Also (side note), get a new developer who knows what they are doing ;-)

Have you checked the url
http://www.somewebsite.com?id=56&other_car=test
specifically for the "?" after the end of the url and also check all the parts are broken up by the ampersand.
failing that you can view all of your available get array variables by
print_r($_GET);

Rewrite url with id and title (php)

How to rewrite url (what to do) so that instead:
http://www.example.com/article.php?id=123
it says:
http://www.example.com/articles/123/article_title_read_from_database
using php and mysql
Thanks.

When the example article.php well page is accessed with the GET of id=123, the php code to retrieve the number is
$my_id = $_GET['id']
, in this case, that would produce 123.
Then you can redirect the page using
header('Location: http://example.com/articles/$id/other stuff');
I'll leave the MySQL stuff for someone else, but a simple tutorial will give you alot of info on that.

To process request and redirect to new url:
// get id of record from URL
$id = (int) $_GET['id'];
// suppose connection to database is established already
$result = mysql_query("SELECT `title` FROM `articles` WHERE `id` = $id");
if (!$result) {
// there is no such an article
// you can redirect to some other page, or show some error message
} else {
$row = mysql_fetch_assoc($result);
$title = $row['title'];
$urlPart = generateURL($title);
header('location:/articles/$id/$urlPart');
exit;
}
you'll need generateURL function, that take string input and replace all unusable characters with _. (For example if you have title "What's going on?" it will replace ', ? and whitespaces to something like "what_s_going_on"). You can use str_replace or preg_replace to achieve this.
If you want to generate new URL on multiple places, you can insert URL form of title directly into database as another column title_url and then just select it and use it instead of title:
SELECT `title_url` FROM `articles` WHERE `id` = $id
There is no way you can do this kind of rewriting in .htaccess as you can't connect to database server from within this file. (Or at least I don't know such a solution)