0

here is my code for json php

include("connect.php"); 
$id = $_GET['lid'];
function countRec($fname,$tname) {
$sql = "SELECT * FROM `mail` WHERE confirmed = 'no' AND label_id = '". $id ."'";
$result = mysql_query($sql) or die ('test'); 
$num = mysql_num_rows($result);
return $num;
}

$page = $_POST['page'];
$rp = $_POST['rp'];
$sortname = $_POST['sortname'];
$sortorder = $_POST['sortorder'];

if (!$sortname) $sortname = 'ID';
if (!$sortorder) $sortorder = 'desc';

    $sort = "ORDER BY $sortname $sortorder";

if (!$page) $page = 1;
if (!$rp) $rp = 10;

$start = (($page-1) * $rp);

$limit = "LIMIT $start, $rp";

$sql = "SELECT * FROM `mail` WHERE confirmed = 'no' AND label_id = '". $id ."' $sort $limit";
$result = mysql_query($sql) or die ('test'); 

$total = countRec();

header("Expires: Mon, 26 Jul 1997 05:00:00 GMT" );
header("Last-Modified: " . gmdate( "D, d M Y H:i:s" ) . "GMT" );
header("Cache-Control: no-cache, must-revalidate" );
header("Pragma: no-cache" );
header("Content-type: text/x-json");
$json = "";
$json .= "{\n";
$json .= "page: $page,\n";
$json .= "total: $total,\n";
$json .= "rows: [";
$rc = false;
while ($row = mysql_fetch_array($result)) {
if ($rc) $json .= ",";
$json .= "\n{";
$json .= "id:'".$row['ID']."',";
$json .= "cell:['".$row['email']."'";
$json .= ",'".addslashes($row['name'])."'";
$json .= ",'".addslashes($row['country'])."'";
$json .= ",'".addslashes($row['bus'])."'";
$json .= ",'".addslashes($row['website'])."'";
$json .= ",'".addslashes($row['music'])."'";
$json .= ",'".addslashes($row['radio'])."']";
$json .= "}";
$rc = true;
}
$json .= "]\n";
$json .= "}";
echo $json;

i am posting data to this php like that "req.php?lid=3434"

and getting "lid" like $id = $_GET['lid']; as you can see

but in my mysql, when i write WHERE label_id = '$id' it doesnt work

any suggestions?

Thanks

Improve this question

1 Answer 1

Reset to default
3

You are referencing the global $id inside a function. You need to mark it as global:

function countRec($fname,$tname) {
    global $id;
    //etc
}

Or you could pass it to the function as a third parameter, which is probably a better solution.

Note that this code is vulnerable to SQL injection attacks. You should either quote $id (e.g. using mysql_real_escape_string()), or if it always an integer you could cast it, e.g. $id = (int) $id. Better still, you could use PDO and use prepared statments and bound parameters, which removes this problem.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I'd put the $id as a third parameter instead of using global.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.