I'm trying to build a single pages.php file which I can pass slug information too and use mod-rewrite to make database output look like actual pages.
The problem is that the code works but only with integers being passed. If I pass the page_id it will make the call and work, if I pass page_slug it will fail.
Here is my rewrite rule
RewriteRule ^service/(.*)$ pages.php?pid=$1 [QSA,L]
And here is the select query in pages.php to which I'm using require_once("Database.php"); to call the database file.
$sql = "
SELECT
page_title,
page_html_title,
page_slug,
page_content
FROM pages
WHERE page_slug = $pid
";
$q = $db->query($sql);
$q->setFetchMode(PDO::FETCH_ASSOC);
$r = $q->fetch();
The data is put into html in following matter {$r['page_title']}
Paste for pages.php http://pastebin.com/qA7zzvnY
Paste for Database.php http://pastebin.com/8pqXbzby
Here is database tables
Known problem.
SELECT page_slug
returns empty page, with no error or source code anywhere.
SELECT page_id
returns the page truth pages.php?pid=zzzzzz or rewrite service/zzzzz.html I'm not sure why I can't pull page slug from database when I have done it in past with usernames and other random data. But in the provided $sql code it does not want to work.
You need single quotes (or properly escaped double quotes) around $pid in the query. Also, as pointed out in the comments, you are wide open to SQL injection and need to address that immediately.
Related
Using a plugin I'm able to use PHP on page by using [insert_php] as a tag however, whenever I try using SQL it doesn't seem to work.
I tried using:
global $wpdb;
$prepared = $wpdb->get_row(
"SELECT SiteID, SiteName
FROM $wpdb->Site
WHERE SiteID = 1");
echo $prepared->SiteName;
echo "test";
All I'm getting is test on the page and I've tested to see if my sql statement was at fault and it seems to be working fine so I'm guessing there's an issue with $wpdb or the way I'm outputting the data.
WordPress.org has a lot of detailed information in their reference.
I think attempting to refer to $wpdb->Site is a likely suspect for why your code is not working. You will need to know the exact fields in the table to pull your information.
Here is a reference for the wp_site table. I think you're actually looking for the 'domain' field, not 'sitename'.
Try replacing $wpdb->Site with the actual name of the table. I also get errors like that at first since $wpdb->table_name only works with the default wp tables.
EDIT
It should be something like this:
SELECT SiteID, SiteName FROM Site WHERE SiteID = 1
I've got a page with the following url: website.com/foo/bar
Where foo is the page's php file and bar is the corresponding id to be used to pull in the data from the database.
I'm not using any sort of framework trickery. Just an htaccess to remove the .php and extensions and to process the page foo.php with the id as its not in a sub-folder.
Anyways, bar is just a number (like I said corresponds with database row id). For SEO and general readability in a users history I want to go to the more popular website.com/foo/this-is-the-name format (what is this format called??).
Currently my code is:
require('neou_cms/framework/framework.php');
$id = filter(basename(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH)));
// no id
if (empty($id)) {
header('Location: ../portfolio');
}
$projects = Nemesis::select("*", "projects", "published = '1' AND id = {$id}");
$row_projects = $projects->fetch_assoc();
$totalRows_projects = $projects->num_rows;
// no results, bad id
if ($totalRows_projects <= 0) {
header('Location: ../portfolio');
}
If figure I would do the following (1) make it so that the pages linking to foo instead go to the page title e.g. /this-is-the-name (2) in foo i'd make it so that $id removes the dashes from the name and searches the database for the row using a select statement and the title.
However I feel like this is slow... Is there a better way to do it that wouldn't require me changing the current flow?
Your approach is fine. The this-is-the-name part of your url (website.com/foo/this-is-the-name) is commonly called a "slug". If you'll be querying a database table on the slug, just make sure the slug column has an index and the query should perform reasonably well.
I would also like to point out that you have a SQL injection vulnerability in the code you've posted. Consider binding $id as a parameter in a parameterized query instead of dynamically including it in a where clause.
I got a Index page on which search page is included, and when I submit it, it passes values to find.php through action and method post. The code is below
if($_POST['searchsubmit']=="Search"){
$cat=$_POST['searchcategory'];
$area=$_POST['searcharea'];
$term=$_POST['searchbox'];
}
The above code is written on find.php, Now when I try to implement paging through basic paging method with where conditions to make appropiate search query
$where="where approved='yes'";
if($term!=""){
$where.=" and name like '%$term%'";
}
if($cat!=""){
$where.=" and category like '%$cat%'";
}
if($area!=""){
$where.=" and area like '%$area%'";
}
$start=0;
$end=5;
if($_GET['page']!="")
{
$start=$_GET['page']*$end;
}
Where $start is my initial limit, and $end is my number of records. For the first page of paging, I pass a variable page with 0 for first page
First
and my search query now becomes
$que="select * from shops ".$where." ORDER BY likes DESC limit $start,$end";
As soon as I click on "first", My new link become "/find.php?page=0"
and the post values which I recivied from index page search bar are lost.
Is there any way to retain those values ?The two methods which I though are sending them again through url with GET, or the other way is to store them in session.
Is there any third method available ?
Marc is absolutely right. Do not use the code as it is.
As an alternate solution to your problem -
Your page index.php (search form) submits to itself
Assemble your search query as querystring in index.php if its a post
Redirect to find.php with the assembled querystring
Every search information will always be in the querystring.
Use your pagination happily.
The comments are correct.
Use:
// Start the session
session_start();
// Save variables into session
$_SESSION['somevalue'] = $_POST['value'];
Then when any page calls session_start it will have access to $_SESSION['somevalue']
Also, you are wide open for SQL injection. Sanitize your values to ensure no one can put arbitrary sql code into the string. if you are using mysqli it should as simple as this:
// After connecting to the DB
$_POST['somevalue' = $mysqli->real_escape_string($_POST['somevalue']);
Then be sure to hardcode quotes around string values like you are doing.
If you want to be safer you can use prepared statement instead.
Hope this helps.
I am using the phpMyDataGird script to edit MySQL database tables through the web without using phpMyAdmin (I just use phpMyAdmin to manage the values but this script to manage the data)
The problem comes when I add HTML to a field. I want to be able to see them as code and not let them transform.
This is an example of how the script looks. If you click on a field you'll be able to edit it. In the first row, second column I wrote <i><b>someone</b></i> and as you can see it's not showing the code but is being bolded and italicized.
This is the main page of the script where I add my MySQL information and change settings, and this main page is connected to a page where all the script is written.
Can anyone take a look at these pages and tell me where to add the htmlspecialchars() call because I have been trying, but it's not working.
If You want to show the HTML special chars only in the grid (and they can stay as they are) try to edit the line 1612 in a 'page' script - that should be a mask function:
function mask($value,$mask,$datatype,$aselect,$row){
switch ($datatype){
...
default:
/*1612 line here --> */ return htmlspecialchars($value);
}
}
But I'm not sure if this is what You want to achieve...
EDIT: to also save the data in htmlspecialchar formatted value, try to change the line 927 from
$strUpdate = "UPDATE $this->tablename set $value=".magic_quote($nt)." $updWhere Limit 1";
to
$strUpdate = "UPDATE $this->tablename set $value=".htmlspecialchars(magic_quote($nt))." $updWhere Limit 1";
but again, I'm not sure... If this is OK, then You can remove the htmlspecialchars in previous example (line 1612).
I need something simple; I have page where a user clicks an author to see the books associated with that author. On my page displaying the list of books for the author, I want a simple HTML title saying: 'The books for: AUTHORNAME'
I can get the page to display author ID but not the name. When the user clicks the link in the previous page of the author, it looks likes this:
<?php echo $row['authorname']?>
And then on the 'viewauthorbooks.php?author_id=23' I have declared this at the start:
$author_id = $_GET['author_id'];
$authorname = $_GET['authorname'];
And finally, 'The books for: AUTHORNAME, where it says AUTHORNAME, I have this:
echo $authorname
(With PHP tags, buts its not letting me put them in!) And this doesnt show anything, however if I change it to author_id, it displays the correct author ID that has been clicked, but its not exactly user friendly!! Can anyone help me out!
You could pull the author_id from the query string as you did using $_GET but beware you will need to validate what is coming through by the query. I hope you can see that without validation how bad of a security hole this is.
I am at work at the moment, but this is a quick example that should give you what you need without sanitizing your query.
$id = intval($_GET['author_id']);
// of course, perform more validation checks
// just don't assume its safe.
$sql = "SELECT authorname FROM authors_tb WHERE author_id=" . $id;
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)) {
echo "The books for: " . $row['authorname'];
}
The reason why your approach wasn't working was because you utilize the $_GET URL parameter passing for author_name where you weren't supplying the parameters in the URL, just the author_id.
You don't send it in the query string, thus you can't get it from the $_GET array.
Just request it from the database using id.
An important note: Always use htmlspacialchars() when you display the data, coming from the client side.
This is because you do not define the author name in your get.
You should make the following your url:
<?php echo $row['authorname']?>
Or rather select the data from the database again, on the new page, using the ID you retrieved from the URI.
Author name won't be in $_GET. As your code stands, you only use it as the link title. It is no where in the address. Try this instead:
<?php echo $row['authorname']?>
It would be better to re-request it from the database using the author_id though.
EDIT:
To explain the problem in more detail. You have two pages, the new.php page and the viewauthorbooks.php page. You're sending users from the new page to the view page using the link you posted, right?
The problem with that is, your link assigns one variable in get. Here's the query string it would generate:
viewauthorbooks.php?author_id=13
What that will do is send the user to viewauthorbooks and place the value '13' in the $_GET variable: $_GET['author_id']. That is why the author_id is there and displays on viewauthorbooks. However, authorname is never passed to viewauthorbooks, it isn't in $_GET['authorname'] because you never set $_GET['authorname']. If you want it to be in $_GET, then you need your query string to look like this:
viewauthorbooks.php?author_id=13&authorname=bob
You can accomplish that using the new HTML code for the link I posted above. Look at it closely, there's a key difference from the one you have now.
However, it is generally discouraged to pass data through GET, because the query string is displayed to the user and it leaves you open to injection attacks. A better way to do this would be to use the author_id you are already passing to viewauthorbooks.php to retrieve the authorname from the database again. You can use the same code you used on the new.php page.