Re: [PHP] Noob question: Making search results clickable.
Ford, Mike wrote: >> -Original Message- >> From: Nisse Engström [mailto:news.nospam.0ixbt...@luden.se] >> Sent: 19 November 2009 14:54 >> To: php-general@lists.php.net >> Subject: Re: [PHP] Noob question: Making search results clickable. >> >> On Wed, 18 Nov 2009 10:31:59 -0500, Paul M Foster wrote: >> >>> Replace your query with: >>> >>> "SELECT title, id FROM videos WHERE topid1 = '$topic'" >>> >>> or whatever index you have to select a particular video from your >> table. >>> Replace your echo statement above with: >>> >>> echo "> href="video_display.php?video_id=$row[id]">$row[title]"; >> >> Without actually checking, I don't think "$row[...]" >> is going to work in double quoted strings. I'm pretty >> sure it needs to be in braces. You also need to escape >> the double quotes and put the array indexes in single >> quotes: > > You should have checked, because "...$row[title]..." is a valid alternative > for "...{$row['title']}...". > > Personally, I never use it because of it not having the same meaning outside > a double-quoted string -- but it is a documented feature. > yup, which sucks and breaks at the drop of a hat, like.. http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
On Thu, 19 Nov 2009 15:07:42 +, Ashley Sheridan wrote: > On Thu, 2009-11-19 at 10:09 -0500, Paul M Foster wrote: >> >> Ahem. You are correct. I should have escaped the double quotes. I've >> *never* made this kind of mistake before. ;-} > > Gonna go to PHP hell for that faux pas! I'll see you both there. :-) /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
On Thu, 19 Nov 2009 17:02:53 -, "Ford, Mike" wrote: >> -Original Message- >> From: Nisse Engström [mailto:news.nospam.0ixbt...@luden.se] >> >> Without actually checking, I don't think "$row[...]" >> is going to work in double quoted strings. I'm pretty >> sure it needs to be in braces. You also need to escape >> the double quotes and put the array indexes in single >> quotes: > > You should have checked, because "...$row[title]..." is a valid > alternative for "...{$row['title']}...". I didn't know that. It never occured to me to *not* use single quotes around the index... > Personally, I never use it because of it not having the same meaning > outside a double-quoted string -- but it is a documented feature. Right. I always use braces (or dot-concatenation) for anything beyond a simple variable name. /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
On Thu, Nov 19, 2009 at 11:46 AM, Paul M Foster wrote: > On Thu, Nov 19, 2009 at 03:07:42PM +, Ashley Sheridan wrote: > >> On Thu, 2009-11-19 at 10:09 -0500, Paul M Foster wrote: >> > > > >> >> Ahem. You are correct. I should have escaped the double quotes. I've >> *never* made this kind of mistake before. ;-} >> >> Paul >> >> -- >> Paul M. Foster >> >> >> >> Gonna go to PHP hell for that faux pas! >> > > PHP Hell Characteristics: > > Endless pages of code *you* have to make work. > > Tons of PHP code embedded in HTML. Not an MVC in sight. > > Everything is full of misquoted variables. > > All variables are *slightly* misspelled. > > Every PHP page terminated with ?> and then a couple more CRLF > combinations, just to make sure you can't figure out why your pages > won't display. > > No security checking of any POST or GET variables. In fact, all input is > guaranteed to contain javascript fragments. > > Parameters in all PHP function calls are out of order. > > No access to php.net. And no XKCD.com. > > No caffeine. No nicotine. No pizza. > > The phone won't quit ringing, and you can't disconnect it. It's always > customers asking for senseless and nonsensical modifications. > > If you're a vim user, you're forced to use emacs. If you're an emacs > user, you have to use vim. And if you use an IDE, you're stuck with > Microsoft Word. > > Paul > > -- > Paul M. Foster > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Aw, hell, I am already here thenthe only thing missing above was being forced to work in classic ASP -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Noob question: Making search results clickable.
> -Original Message- > From: Nisse Engström [mailto:news.nospam.0ixbt...@luden.se] > Sent: 19 November 2009 14:54 > To: php-general@lists.php.net > Subject: Re: [PHP] Noob question: Making search results clickable. > > On Wed, 18 Nov 2009 10:31:59 -0500, Paul M Foster wrote: > > > Replace your query with: > > > > "SELECT title, id FROM videos WHERE topid1 = '$topic'" > > > > or whatever index you have to select a particular video from your > table. > > > > Replace your echo statement above with: > > > > echo " href="video_display.php?video_id=$row[id]">$row[title]"; > > Without actually checking, I don't think "$row[...]" > is going to work in double quoted strings. I'm pretty > sure it needs to be in braces. You also need to escape > the double quotes and put the array indexes in single > quotes: You should have checked, because "...$row[title]..." is a valid alternative for "...{$row['title']}...". Personally, I never use it because of it not having the same meaning outside a double-quoted string -- but it is a documented feature. Cheers! Mike -- Mike Ford, Electronic Information Developer, Libraries and Learning Innovation, Leeds Metropolitan University, C507, Civic Quarter Campus, Woodhouse Lane, LEEDS, LS1 3HE, United Kingdom Email: m.f...@leedsmet.ac.uk Tel: +44 113 812 4730 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm
Re: [PHP] Noob question: Making search results clickable.
On Thu, Nov 19, 2009 at 03:07:42PM +, Ashley Sheridan wrote: > On Thu, 2009-11-19 at 10:09 -0500, Paul M Foster wrote: > > > Ahem. You are correct. I should have escaped the double quotes. I've > *never* made this kind of mistake before. ;-} > > Paul > > -- > Paul M. Foster > > > > Gonna go to PHP hell for that faux pas! > PHP Hell Characteristics: Endless pages of code *you* have to make work. Tons of PHP code embedded in HTML. Not an MVC in sight. Everything is full of misquoted variables. All variables are *slightly* misspelled. Every PHP page terminated with ?> and then a couple more CRLF combinations, just to make sure you can't figure out why your pages won't display. No security checking of any POST or GET variables. In fact, all input is guaranteed to contain javascript fragments. Parameters in all PHP function calls are out of order. No access to php.net. And no XKCD.com. No caffeine. No nicotine. No pizza. The phone won't quit ringing, and you can't disconnect it. It's always customers asking for senseless and nonsensical modifications. If you're a vim user, you're forced to use emacs. If you're an emacs user, you have to use vim. And if you use an IDE, you're stuck with Microsoft Word. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
On Thu, 2009-11-19 at 10:09 -0500, Paul M Foster wrote: > On Thu, Nov 19, 2009 at 03:53:55PM +0100, Nisse Engström wrote: > > > On Wed, 18 Nov 2009 10:31:59 -0500, Paul M Foster wrote: > > > > > Replace your query with: > > > > > > "SELECT title, id FROM videos WHERE topid1 = '$topic'" > > > > > > or whatever index you have to select a particular video from your table. > > > > > > Replace your echo statement above with: > > > > > > echo "$row[title]"; > > > > Without actually checking, I don't think "$row[...]" > > is going to work in double quoted strings. I'm pretty > > sure it needs to be in braces. You also need to escape > > the double quotes and put the array indexes in single > > quotes: > > > > echo " > href=\"video_display.php?video_id={$row['id']}\">{$row['title']}"; > > > > Ahem. You are correct. I should have escaped the double quotes. I've > *never* made this kind of mistake before. ;-} > > Paul > > -- > Paul M. Foster > Gonna go to PHP hell for that faux pas! Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] Noob question: Making search results clickable.
On Thu, Nov 19, 2009 at 03:53:55PM +0100, Nisse Engström wrote: > On Wed, 18 Nov 2009 10:31:59 -0500, Paul M Foster wrote: > > > Replace your query with: > > > > "SELECT title, id FROM videos WHERE topid1 = '$topic'" > > > > or whatever index you have to select a particular video from your table. > > > > Replace your echo statement above with: > > > > echo "$row[title]"; > > Without actually checking, I don't think "$row[...]" > is going to work in double quoted strings. I'm pretty > sure it needs to be in braces. You also need to escape > the double quotes and put the array indexes in single > quotes: > > echo " href=\"video_display.php?video_id={$row['id']}\">{$row['title']}"; > Ahem. You are correct. I should have escaped the double quotes. I've *never* made this kind of mistake before. ;-} Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
On Wed, 18 Nov 2009 10:31:59 -0500, Paul M Foster wrote: > Replace your query with: > > "SELECT title, id FROM videos WHERE topid1 = '$topic'" > > or whatever index you have to select a particular video from your table. > > Replace your echo statement above with: > > echo "$row[title]"; Without actually checking, I don't think "$row[...]" is going to work in double quoted strings. I'm pretty sure it needs to be in braces. You also need to escape the double quotes and put the array indexes in single quotes: echo "{$row['title']}"; Personally, I prefer something like this: $id = $row['id']; /* No urlencode(), assuming numerical id */ $title_h = htmlspecialchars ($row['title']); echo "$title_h"; or (somewhat cleaner): echo <<<_ $title_h _; /Nisse -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
Make sure to reply all... Paul Jinks wrote: > Thanks to everyone for replying, it's much appreciated. Thanks > especially for the final piece of the puzzle, Shawn, I don't think I > was going to find it on my own - the display I have in mind is a > little different, but I think I can figure it out. Will check all this > out and let you know how I get on. > > Paul > > On Wed, Nov 18, 2009 at 3:33 PM, Shawn McKenzie wrote: > >> Gary Smith wrote: >> >>> Paul Jinks wrote: >>> Hi all I'm building a fairly basic php/mySql site but I'm running into problems due to my total lack of experience. I have a database of videos - each has a title, transcript, description and one or more topics. So far I can search the database by topic (using a drop-down menu), like this: >>> $result = mysql_query("SELECT title FROM videos WHERE topic1= '$topic'"); >>> Hi - first up, make sure that you're passing clean input. It's worth >>> learning about security from the start. As you've mentioned below that >>> you're using PHP, you can do this by making sure $topic has been put >>> through mysql_real_escape_string() - it's not ideal, but it's better >>> than nothing[1]. >>> while($row = mysql_fetch_array($result)) { echo $row['title']; echo ""; } ?> >>> What you'd probably be better doing is having something like this: >>> >>> printf("%s", $row["id"], >>> $row["title"]); >>> >>> And changing your query accordingly. >>> >>> Obviously, you'd need video_display.php to accept GET input in the form >>> of id= as well. >>> >> For the first piece Gary has it right, but your query needs to include >> the id also. >> >> $result = mysql_query("SELECT id, title FROM videos WHERE topic1= >> '$topic'"); >> >> For the second piece, in video_display.php, you'd do something like this: >> >> $id = (int)$_GET['id']; >> $result = mysql_query("SELECT * FROM videos WHERE id=$id LIMIT 1"); >> >> if($result) { >>$row = mysql_fetch_array($result); >> >>echo $row['title'].""; >>echo $row['description'].""; >>echo $row['title'].""; >>// etc... >> } else { >>die("Invalid id"); >> } >> >> -- >> Thanks! >> -Shawn >> http://www.spidean.com >> >> > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
Shawn McKenzie wrote: Gary Smith wrote: And changing your query accordingly. For the first piece Gary has it right, but your query needs to include the id also. Yeah, as I mentioned, he'd need to change the query accordingly, either to select id,title or select * Cheers, Gary -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
Gary Smith wrote: > Paul Jinks wrote: >> Hi all >> >> I'm building a fairly basic php/mySql site but I'm running into >> problems due to my total lack of experience. I have a database of >> videos - each has a title, transcript, description and one or more >> topics. So far I can search the database by topic (using a drop-down >> menu), like this: >> >> > $result = mysql_query("SELECT title FROM videos WHERE topic1= '$topic'"); >> > Hi - first up, make sure that you're passing clean input. It's worth > learning about security from the start. As you've mentioned below that > you're using PHP, you can do this by making sure $topic has been put > through mysql_real_escape_string() - it's not ideal, but it's better > than nothing[1]. >> while($row = mysql_fetch_array($result)) >> { >> echo $row['title']; >> echo ""; >> } >> ?> >> > What you'd probably be better doing is having something like this: > > printf("%s", $row["id"], > $row["title"]); > > And changing your query accordingly. > > Obviously, you'd need video_display.php to accept GET input in the form > of id= as well. For the first piece Gary has it right, but your query needs to include the id also. $result = mysql_query("SELECT id, title FROM videos WHERE topic1= '$topic'"); For the second piece, in video_display.php, you'd do something like this: $id = (int)$_GET['id']; $result = mysql_query("SELECT * FROM videos WHERE id=$id LIMIT 1"); if($result) { $row = mysql_fetch_array($result); echo $row['title'].""; echo $row['description'].""; echo $row['title'].""; // etc... } else { die("Invalid id"); } -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
On Wed, Nov 18, 2009 at 03:04:13PM +, Paul Jinks wrote: > Hi all > > I'm building a fairly basic php/mySql site but I'm running into > problems due to my total lack of experience. I have a database of > videos - each has a title, transcript, description and one or more > topics. So far I can search the database by topic (using a drop-down > menu), like this: > > $result = mysql_query("SELECT title FROM videos WHERE topic1= '$topic'"); > > while($row = mysql_fetch_array($result)) > { > echo $row['title']; > echo ""; > } > ?> > > Basic, but it works. What I'd like now is to make the search results > clickable so clicking them leads to a page showing all the details of > that video. I have a page "video_display.php" set up, ready to display > the details from the database, but how do I connect the two? Replace your query with: "SELECT title, id FROM videos WHERE topid1 = '$topic'" or whatever index you have to select a particular video from your table. Replace your echo statement above with: echo "$row[title]"; Then ensure that video_display.php is set up to fetch the video whose ID is passed to it via the GET parameter. All this assumes I understood what you're getting at. Which is questionable. ;-} Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Noob question: Making search results clickable.
Paul Jinks wrote: Hi all I'm building a fairly basic php/mySql site but I'm running into problems due to my total lack of experience. I have a database of videos - each has a title, transcript, description and one or more topics. So far I can search the database by topic (using a drop-down menu), like this: Hi - first up, make sure that you're passing clean input. It's worth learning about security from the start. As you've mentioned below that you're using PHP, you can do this by making sure $topic has been put through mysql_real_escape_string() - it's not ideal, but it's better than nothing[1]. while($row = mysql_fetch_array($result)) { echo $row['title']; echo ""; } ?> What you'd probably be better doing is having something like this: printf("%s", $row["id"], $row["title"]); And changing your query accordingly. Obviously, you'd need video_display.php to accept GET input in the form of id= as well. Cheers, Gary [1] It's not a magic bullet in so far as it doesn't stop SQL injection. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Noob question: Making search results clickable.
Hi all I'm building a fairly basic php/mySql site but I'm running into problems due to my total lack of experience. I have a database of videos - each has a title, transcript, description and one or more topics. So far I can search the database by topic (using a drop-down menu), like this: "; } ?> Basic, but it works. What I'd like now is to make the search results clickable so clicking them leads to a page showing all the details of that video. I have a page "video_display.php" set up, ready to display the details from the database, but how do I connect the two? Thanks in advance Paul -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php