One more PHP question

[nightcat]

Hi.

I'm trying to make something like Javascript's 'onclick' function in PHP.

Clicking text should start a function and the text should be passed as an argument to the function it starts.

Can't seem to find how to do it.

'Google People' are welcome to give ideas on which serch words to use

[Tim_axe]

Not possible. You have to use JavaScript to do onclick();.


PHP is the PHP Hypertext Preprocessor. Preprocessor being the key word there.

PHP is what happens to a *.php file before the browser ever sees it. The hypertext (HTML) is preprocessed (PHP) and the results of that processing are sent to the browser. If there is "<PHP ... ?>" in the file the PHP Preprocessor is looking at, it executes the code in there before returning it to the person requesting the information. From there the browser displays the output.


Basically, PHP is all server-side. The web browser (and Javascript) is client-side. You can have them interact through CGI (HTTP), though.

If you look at the URL in your browser right now, you'll see something like "http://www.antionline.com/showthread.php?s=&threadid=268076". The "?s=&threadid=268076" part of that URL provides information to the server on what thread you're looking at. Unless you pass this information somehow, your PHP application will be quite hopeless at interacting with a user. So you need to come up with a way to mix client-side (JavaScript) code so that it can talk to your server through these kinds of URLs in a useful way to be productive to your goals.


Cheers.

[nightcat]

OK.

That's what I did so far

<a href = 'pagename.php?NameOfTheParameter=$NamOfTheVariable'>$Variable</a>


on the other page.

$Variable = FunctionName($_GET['NameOfTheParameter']);


The problem is that Function I import the data in to returns NULL.

Am I making a mistake on transfering data?

[sec_ware]

Hi

First: The answer by Tim_axe was excellent!

Second - To your new problem: Actually, what is the problem?
What do you want to do? You want to provide a couple of links,
each with a different parameter, which influences what you
do server side?

When you click on your link, is $NameOfTheVariable actually set? (check the URL)

Is $_GET['NameOfTheParameter'] actually set? A superglobals[1,2]-problem?
Why complicate things with the FunctionName-function? What should this function do?
Otherwise, the syntax looks ~correct (works for me).

Let us track the problem down (which version of PHP anyway?). Use something
like

Code:

    echo $_GET['NameOfTheParameter'];

or (old, obsolete way)

Code:

    global $_GET; 
    if ($HTTP_GET_VARS!=NULL){
                $myGET_debug=$HTTP_GET_VARS;

                if (isset($myGET_debug["NameOfTheParameter"])){
                       ...
                }
   }

Note: As of PHP 5.0.0, the long PHP predefined variable
arrays may be disabled with the register_long_arrays
directive.


Cheers.


[1] http://www.php.net/manual/en/languag...predefined.php
[2] http://www.php.net/manual/en/reserve...iables.globals

[nightcat]

OK.I'm using PHP5.

I would of shown the whole site, but at the moment the server is set up for designing the site, so it's far from secure.

Hopefuly by tomorrow I'll finish the basic site setup and will be able to reconfigure the server.

So far I got the problem sorted. Will be glad to let you lot to test the site

[nightcat]

I just got a PM asking me to expand a bit on the problem.

I am working on the prototype site for a tourist company which will be later expanded.

One of the pages shows destinations to which the company takes people. Each destination holds a number of hotel (so far 1 each ).

I display destinations, by getting their data from the MySQL Server.

I do this using next code:

<?php

require ("Functions.php");


#Connect to the database
$link = Connect();


#query the database for the information
$query ="SELECT * FROM destinations
WHERE Held_In_Destination = 1";

$result = mysqli_query ($link,$query);


#display the result of the query
while ($row = mysqli_fetch_array($result))

{
extract ($row);

#Display the results and Set up a link to show
#which hotels are in the given location
#Clicking the link will take a customer to a page showing
#all the hotels in the location they picked.
echo "<tr><td><a href='Hotels.php?id=$Destination_ID'>
$Destination_Name</a></td></tr>";
echo "<tr><td>$Destination_Description<br><br></td></tr>";

}


?>

Now as you can see from the code I am setting up a link in the output of the page to the Hotels.php page.


echo "<tr><td><a href='Hotels.php?id=$Destination_ID'>
$Destination_Name</a></td></tr>";

Hotels.php - uses a predefined fumction which I placed in Funktions.php. The function is going to be used elsewhere.

This also allows me to have shorter code:

<?php

# calling function to select a hotel in a destination

$result=Hotels($_GET['id']);

#show hotels

while ($row = mysqli_fetch_array($result))
{

extract ($row);

echo "<tr><td>$Hotel_Name</td></tr>";
echo "<tr><td>$Hotel_Description</td></tr>";

}
?>

[nightcat]

Now as I am only a couple of weeks old in PHP, I can admit that all this is prety new to me.

Although, I am going to improve fast , as there seem to be a couple more projects coming my way.

[sec_ware]

Hi

Nightcat, thank you for elaborating. I assume, the _GET-variables do
work now, and your function gets the correct parameter?

INJECTION WARNING: It looks like the id-field-value is used as an
input-parameter for another SQL-query. Be aware of injection! Make sure,
that the parameter passed to the query is in a valid format (ie a number,
not a ', =, ... ). I guess, this is what your function FunctionName is for?

Cheers!

[nightcat]

The query will only work with an integer. Anything else should fail.

As I said. I'll make the site public, once it has been finished, so you'll be welcome to test it.

[Tim_axe]

Whenever you get input from a user, make sure to make it safe first! (Incase you haven't yet) If someone replaced the link so that "id" = something like "';attack_query" mySQL would execute the attack_query. Which would of course be a problem if they decided to drop the table or something...


Be sure to check out the PHP function mysql_real_escape_string() @ http://us3.php.net/mysql_real_escape_string

Also these articles may be of interest to look at -- http://www.securityfocus.com/infocus/1704 :: http://www.securityfocus.com/infocus/1709

Cheers


Edit: sec_ware beat me to it. But you may want to post your filtering, because even if it is supposed to be an integer, it is possible to inject a query that successfully completes if proper input filtering is not followed. (having a function making sure it is an integer is considered input filtering)