PDA

View Full Version : A mistake somewhere in my code

Chousho
Mon 18th Sep '06, 9:11pm
Hey there!
I set up a database for some testing with the book I bought a while ago from Sitepoint. Anyway, I have a table named "page" with 2 rows: pageid and content.
I am having some trouble creating a good way to extract the content via php.

This is what I'm currently working with. Keep in mind, I have a seperate file for the DB connection. Why won't it show the content at the end?

<?php
// extract the content from the database
$id = $_GET['id'];
$raw_content = @mysql_query("SELECT content FROM page WHERE pageid = '".mysql_real_escape_string($id)."' limit 1");

if (!$raw_content) {
exit ('Page does not exist or can not be found.');
}

if (mysql_fetch_array($raw_content) < 1) {
exit ('That id is not appropriate.');
}

$raw_content = mysql_fetch_array($raw_content);
$content = $raw_content['content'];

// Filter out HTML
$content = htmlspecialchars($content);

// If no page specified, default to the first page ($page = 0)
if(!isset($_GET['page'])) {
$page = 0;
} else {
$page = $_GET['page'];
}

// Split text into array of pages
$textarray = spliti('\[PAGEBREAK]', $content);

// Select the page we want
$content = $textarray[$page];

// BBcode to HTML
// Text style - Bold, Italic, Underline
$content = str_replace (array ('', ''), '<strong>', $content);
$content = str_replace (array ('', ''), '</strong>', $content);

$content = str_replace (array ('', ''), '<em>', $content);
$content = str_replace (array ('', ''), '</em>', $content);

$content = str_replace (array ('', ''), '<span style="text-decoration: underline;">', $content);
$content = str_replace (array ('', ''), '</span>', $content);

// Super and subscript
$content = str_replace (array ('', ''), '<sup>', $content);
$content = str_replace (array ('', ''), '</sup>', $content);

$content = str_replace (array ('', ''), '<sub>', $content);
$content = str_replace (array ('', ''), '</sub>', $content);

// BBlinks to HTML
$content = eregi_replace ('\\([-_./a-z0-9!&%#?+,\'=:;@~]+)\\', '<a href="\\1">\\1</a>', $content);

$content = eregi_replace ('\\+)]([^\\[]+)\\ (([-_./a-z0-9!&%#?+,\'=:;@~)', '<a href="\\1">\\2</a>', $content);

// Paragraphs and line breaks
$content = ereg_replace("\r\n", "\n", $content);
$content = ereg_replace("\r", "\n", $content);
$content = ereg_replace("\n\n", '</p><p>', $content);
$content = ereg_replace("\n", '<br />', $content);

$PHP_SELF = $_SERVER['PHP_SELF'];

if ($page != 0) {
$prevpage = $page -1;
echo "<p><a href=\"$PHP_SELF?id=$id&amp;page=$prevpage\">".'Previous Page</a></p>';
}

echo "<p>$content</p>";

if ($page < count($textarray) - 1) {
$nextpage = $page + 1;
echo "<p><a href=\"$PHP_SELF?id=$id&amp;page=$nextpage\">".'Next Page</a></p>';
}
?>
nico_swd
Tue 19th Sep '06, 9:39am
Hey there!
I set up a database for some testing with the book I bought a while ago from Sitepoint. Anyway, I have a table named "page" with 2 rows: pageid and content.
I am having some trouble creating a good way to extract the content via php.

Do you mean 2 rows, or 2 columns?
Every page should have its own row, and an unique ID. If that's the case it's quite easy to grab the right content.


<?php
// extract the content from the database
$id = $_GET['id'];
$raw_content = @mysql_query("SELECT content FROM page WHERE pageid = '".mysql_real_escape_string($id)."' limit 1");



Until here it's not that bad. If the ID you're receiving from the URL is numeric, then note that you don't need single quotes around it in the query string. And I'd use intval() (http://uk2.php.net/manual/en/function.intval.php) rather than mysql_real_escape_string() in this case. Like this.

<?php
// extract the content from the database
$id = intval($_GET['id']);
$raw_content = @mysql_query("SELECT content FROM page WHERE pageid = ".$id);


The LIMIT isn't really necessary here either since every page should have its unique ID.



if (mysql_fetch_array($raw_content) < 1) {
exit ('That id is not appropriate.');
}



mysql_fetch_array() returns an array, and its size cannot be checked like this. Use mysql_num_rows() here instead.

if (mysql_num_rows($raw_content) < 1) {
exit ('That id is not appropriate.');
}


I didn't check your whole code, but if you've done all that, the following part of your code should work (which is the part you're asking for help).


$raw_content = mysql_fetch_array($raw_content);
$content = $raw_content['content'];
Chousho
Tue 19th Sep '06, 1:12pm
*Much helpful stuff*

Thank you alot! Yes, each content has its own row and unique id (pageid being the primary key).


So I can just make sure id is an int, and not worry, right? What about for other values passed by the browser? As far as I can see, I would only have such things as id=5&page=2, so I guess that would be an int as well.

However, when I create a search page, it would be a good idea to use mysql_real_escape_string to pass to form value the user enters, right?

I'll try out your code right now, thank you very much!

-- edit--
IT WORKS! YAAAAY!
Thank you thank you thank you so much! I've been trying for 3 days to get this to work to no avail.

*cries* I love you, nico_swd, haha
nico_swd
Tue 19th Sep '06, 1:39pm
Hahaha, glad you got it working. :D

Use intval() only for numeric values. Such as the page ID, and page number. For any other data use mysql_real_escape_string(), no matter if it comes from a form or the URL.