Passing variables via URL to php

Hi,

The following URL worked fine with my old hosting company (PlusNet)

http://www.countybeermakers.org.uk/recipes/recipe.php?table=anniversary&num=1

However I now get the following error after moving site to Dreamhost

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result
resource in /servername/recipes/recipe.php on line 84

It's actually this line that's causing the problem

$query = "SELECT * FROM $table WHERE number=$num";

If I hard code the table and record numbers as follows it works fine

$query = "SELECT * FROM anniversary WHERE number=1";

So it's the passing of the variables from the URL to php that's not working
any more.

Any ideas why?

Thanks, Darren

In reply to:
http://www.countybeermakers.org.uk/recipes/recipe.php?table=anniversary&num=1
$query = "SELECT * FROM $table WHERE number=$num";

My guess is that you are assuming that register_globals is enabled (which is something of a security hazard). The variables you are setting in your query string should first be retrieved from the $_GET superglobal array:

$table = $_GET['table'];
$num = $_GET['num'];

If you are working with many variables, you can retrieve all of them at the same time with this:

extract($_GET);

You will encounter the same issue if you ever use HTML forms with PHP. With the method set to "post", for example, you will need to access the form data with the $_POST superglobal array variable.

register_globals is turned off. Before your query do:
$table = $_GET['table'];
$num = $_GET['num'];

But, you also need to clean the data before you run any query, else I can visit your site and do anything I want to your database. The main reason register_globals is turned off by default in recent versions of PHP is because of security issues.

Terry

Thanks, couple of follow ups.

How do I clean the data

and

How can you do stuff to my database if you don't know the username, password and even database name? I have wondered about the wisdom of having my password hardcoded into a .php file, but was told webservers never return the raw .php file, so no one would ever see it.

Am I being VERY nieve?

In reply to:

http://www.countybeermakers.org.uk/recipes/recipe.php?table=anniversary&num=1
$query = "SELECT * FROM $table WHERE number=$num";

In addition to the good advice you got from everyone else, I want to mention that I sure hope there's some data validation/cleaning going on somewhere in between these two things.

Read up on SQL injection. The very first example on that page should look familiar.

You can clean the data by doing something as simple as stripping out non-alphanumerics, for example.

You know what values are valid for these variables, so make sure you don't accept anything but those values. Either strip out anything else or return an error if you see it.

I advise two things

use either $_REQUEST['variablename'] or $_GET['variablename'] instead of just $variable name, as others have said.

Use mysql_real_escape_string to sanitize your data, or some other mechanism.

Passing variables via URL to php