Gary Smith wrote:
> Paul Jinks wrote:
>> Hi all
>>
>> I'm building a fairly basic php/mySql site but I'm running into
>> problems due to my total lack of experience. I have a database of
>> videos - each has a title, transcript, description and one or more
>> topics. So far I can search the database by topic (using a drop-down
>> menu), like this:
>>
>> <?php
>> $result = mysql_query("SELECT title FROM videos WHERE topic1= '$topic'");
>>
> Hi - first up, make sure that you're passing clean input. It's worth
> learning about security from the start. As you've mentioned below that
> you're using PHP, you can do this by making sure $topic has been put
> through mysql_real_escape_string() - it's not ideal, but it's better
> than nothing[1].
>> while($row = mysql_fetch_array($result))
>> {
>> echo $row['title'];
>> echo "<br />";
>> }
>> ?>
>>
> What you'd probably be better doing is having something like this:
>
> printf("<a href='video_display.php?id=%s'>%s</a>", $row["id"],
> $row["title"]);
>
> And changing your query accordingly.
>
> Obviously, you'd need video_display.php to accept GET input in the form
> of id= as well.
For the first piece Gary has it right, but your query needs to include
the id also.
$result = mysql_query("SELECT id, title FROM videos WHERE topic1=
'$topic'");
For the second piece, in video_display.php, you'd do something like this:
$id = (int)$_GET['id'];
$result = mysql_query("SELECT * FROM videos WHERE id=$id LIMIT 1");
if($result) {
$row = mysql_fetch_array($result);
echo $row['title']."<br />";
echo $row['description']."<br />";
echo $row['title']."<br />";
// etc...
} else {
die("Invalid id");
}
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
