Advanced PHP Question

phpnewbie34

Good morning friends and programmers,

I'm looking to create something similar to this link: http://toronto.en.craigslist.ca/tor/zip/3763209705.html

What I need is 2 pages.

One page I retrieve the TITLES for each day and display them - the TITLES link to a page like the one above

The second page has specific information about the link.

My main question is how do you create a craigslist style page using PHP and MySQL?

Any pointers / resources you can provide would really help me out

xerxes

That's a very broad question.

What do you know? Are you familiar with HTML, forms, POST and GET, do you know anything about server side scripting and databases at all, or any other programming/scripting languages, or are you starting completely from scratch?

If I can make a motoring analogy, forums are a good place to ask "how do I change a spark plug?", but not "how do I build a car?". 😃

phpnewbie34

Lol. Just kidding.

Here is my code - which works fine:

while($row = mysqli_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['ID'] . "</td>";
echo "<td>" . $row['name'] . "</td>";
echo "<td>" . $row['book'] . "</td>";
echo "<td>" . $row['subject'] . "</td>";
echo "<td>" . $row['Price'] . "</td>";
echo "<td>" . $row['Description'] . "</td>";
echo "<td>" . "<img src=\"" . $row['picname'] . "\" width=100 height=100 />" . "</td>";
echo "</tr>";
}
echo "</table>";

What I'm trying to do is turn the output from $row['id'] into a link.

I want that link to go another page ... index.php/id=1 etc...

The other page is like a profile - with the user ID listed .... 1,23,234 etc...

And all the corresponding info from the database

What I don't understand is how does one create a new webpage based on information in a MySQL database for a particular ID number?

I'm looking for a pointer in the right direction

xerxes

First use the ID as a link:

echo '<td><a href="DetailPage.php?ID=' . $row["ID"] .'">View Details</a></td>';

Notice I've use single quotes for the PHP string so that we can use double quotes for the HTML without using back slashes to escape them.

Then on DetailPage.php

$intID = $_GET["ID"]) // Retrieve the ID

Which you can now use as part of your SQL statement, for example:

$pdo = $connDB->prepare("SELECT Something, SomethingElse FROM tbl_Name WHERE ID=? LIMIT 0,1;");
$pdo->execute(array($intID));

Or if you're using mysql_query something like this:

$result = mysql_query($connDB,"SELECT Something, SomethingElse FROM tbl_Name WHERE ID=" . $intID . " LIMIT 0,1;");

mysql_query is being dropped soon, so it might be worth looking into using mysqli_query() or PDO::query() instead, rather than have your code stop working sometime in the future:
http://php.net/manual/en/function.mysql-query.php

phpnewbie34

I messed around with your code and I finally got it to work.

It seemed to work when I used "mysqli_query" and not "mysql_query" (I don't know the difference)

Brilliant answer - much appreciated.

laserlight

Unfortunately, while xerxes' sample code uses prepared statements for the PDO example, it doesn't for the latter example, which likely means that you have an SQL injection vulnerability in your code since xerxes' example does not take care of that. Since you will be using mysqli anyway, you should read up on how to use prepared statements with that.

Weedpacket

phpnewbie34 wrote:
It seemed to work when I used "mysqli_query" and not "mysql_query" (I don't know the difference)

That's what the manual is for. [man]mysqli_query[/man], [man]mysql_query[/man].

xerxes

laserlight;11027109 wrote:
Unfortunately, while xerxes' sample code uses prepared statements for the PDO example, it doesn't for the latter example, which likely means that you have an SQL injection vulnerability in your code since xerxes' example does not take care of that. Since you will be using mysqli anyway, you should read up on how to use prepared statements with that.

It's not a fully worked up example, there's lots of things I'd add, for example checking that the parameter exists and checking that the value is numeric, for example:

if (isset($_GET["ID"]))    {$intID=$_GET["ID"];}    else{$intID="X";}

$intFound = 0;

if (is_numeric($intID)==true){
	$pdo = $connBike->prepare("SELECT Something, SomethingElse FROM tbl_Name WHERE ID=?;");
	$pdo->execute(array($intID));

if ($pdo->rowCount()>0){
	$intFound = 1;
	$rsDetails = $pdo->fetch(PDO::FETCH_ASSOC);
	$intSomething = $rsDetails["Something"];
	$strSomethingElse  = $rsDetails["SomethingElse "];	}
$pdo->closeCursor();	
}

$connBike = null;

if (intFound = 0){
	echo "No record found";{
else{
	....
}

This way if someone gets to the page without supplying a URL parameter, or if the URL parameter is tampered with, the page doesn't show a PHP error message.

Derokorian

xerxes wrote:

if (isset($_GET["ID"]))    {$intID=$_GET["ID"];}    else{$intID="X";}

If you're going to do it all on one line like that, they have something for that called the ternary operator.

$intID = isset($_GET["ID"]) ? $_GET["ID"] : "X";

traq

also note that [man]is_numeric/man probably isn't actually what you're looking for. If your field [font=monospace]ID[/font] is serial, and you therefore want [font=monospace]$_GET['ID'][/font] to be composed of only digits ( 0-9 ), use [man]ctype_digit/man.

xerxes

Derokorian and traq, duly noted. 😃