I’m fairly new with PHP so not sure if this is a really common problem
I am writing a system for work
And I have a page with a list of hyperlinks. Next to each hyperlink there in a link that takes you to a page where you can edit the link, it’s name, url, description etc.
The page for editing links displays which link it is by passing a record id number in the address string i.e http://blah.com/edit.php?id=2
My problem is that I’m trying to make it so that someone cannot tamper with the address string. I have it checking so far that the data it is passed is numeric but what I want to do next is so it does something like counts the number of records in the table and if an id number is given that is higher than the number of records in the database table it will display an error.
Here is some of the code I have so far
Not sure if I am going along the right lines;
$sqlcount = "SELECT COUNT(*) FROM WCIS_wlinks";
mysql_query($sqlcount);
//make a variable to put the id number into
$idnum = $_GET['id'];
//make a variable to put the number of counted rows in the table into
$tablecount = mysql_query($sqlcount);
//check to see if the id number being passed is numeric
if (is_numeric($idnum) == FALSE)
{
echo "There has been an error, the id number isn't numeric";
}
if ($idnum < $tablecount)
{
echo "There has been an error, the id number is higher than the number of records we currently have stored<br />";
echo "The number of rows in the table is";
echo $tablecount;
}
else
{
mysql_query() returns what we call "Resouce", and never a single var or arrays vars. You must fetch each row before you use it. This is no exception even if you know that the result contains only one row with one column because MySQL doesn't.
Change this:
PHP Code:
//make a variable to put the number of counted rows in the table into
$tablecount = mysql_query($sqlcount);
to the following:
PHP Code:
//make a variable to put the number of counted rows in the table into
$tablecount = mysql_result(mysql_query($sqlcount), 0);
However, you may be better off if you check the query to retrieve the data, based on the numeric ID - if it returns empty set, that means there is no such ID in the database. Plus if you are using auto_increment ID, then deleting one ID does not shift/unshift the existing IDs, and in that case, it becomes possible that an ID that exists yet is higher than the actual count of the data.
So should I check to see if what is being passed is a number of a record that we have in the table as oppose to just not being higher than the number of records because it could be we have records with id 1, 2, 4, 5 etc with entry 3 missing as it had been deleted?
Would I use something like this?
if (empty($var)) {
echo "whatever message here";
}
The part I don't get would be what variable I am using here to do this
I've re-written your scriptlet with my comments to demonstrate what I've mentioned before. I hope you find it useful:
PHP Code:
<?php
// We could use intval() here to make $_GET['id'] an integer, but sometimes it's not desirable.
$idnum = $_GET['id'];
// is_numeric() routine.
// Also, assuming that the id of value zero does not exist, we can add another check where $idnum must be higher than zero.
if (!is_numeric($idnum) || $idnum <= 0) {
echo "There has been an error, the id number isn't valid.";
// It is important to exit() so that the subsequent code will not be excuted if things go wrong and there is no way to recover.
exit();
}
else {
// Now we know that the id is an integer that is not zero.
// It is safe to plug this into your query.
$sql = "SELECT whatever_fields_you_need_to_retrieve FROM your_table WHERE id = ".$idnum;
$res = mysql_query($sql);
// Now check if there is a record whose id matches the $idnum.
// If there is not, the query would return an empty set that cannot be fetched.
// Also, assuming that the id is unique across the records in this table, we know that the number of rows returned will be 1, if such a record exists.
if (mysql_num_rows($res) != 1) {
echo 'The requested record does not exist.'
exit();
}
else {
// Now it is safe to proceed with the result.
// Remember, even if the number of the rows returned is one, in order to use these field values in PHP's array, you must explicitly fetch it into an array.
// You can choose either mysql_fetch_assoc(), mysql_fetch_row(), or mysql_fetch_array() - consult the PHP manual for more details on these functions.
$a_record = mysql_fetch_assoc($res);
// It is recommended to unset() the resouce because it could contain a big data.
unset($res);
// Now the array var $a_record contains the record whose id = $idnum.
// Use this array for your subsequent operations.
}
}
?>
There are other ways to accomplish the same thing - make it a function, a class, etc, and you should try various ways and go for the one that fits you or your projects.
Linear Mode
