0

so I have a file that will get $_GET['id'] from an ajax request here is a part of the php file:

include "system/dbconnect.php";
// Script Bin Plugin
$id = $_GET['id']; 

 $hresult = mysql_query("SELECT * FROM options
 WHERE id='$id'") or die(mysql_error()); 
  echo '<ul class="ul"> more content goes here...';

I edited the question to make it clearer: I would like to return the file's content, the html and mysql results going through a loop then rendering the widgets that contain different info from the db using ajax ...

Improve this question
3
  • You mean you have the name of a file and you want to output the contents of the file? Commented Feb 17, 2012 at 1:39
  • It's unclear what you want to do here. Do you want to print anything echod by your PHP file back to the browser? Commented Feb 17, 2012 at 1:41
  • well its a file that will render 18 different divs (widgets)each div will the render different information from the db. I have a file handler.php that checks the table for active=yes widgets and then will display all of them through a loop Commented Feb 17, 2012 at 1:53

1 Answer 1

Reset to default
2

You really should escape variables passed via GET:

$id = mysql_real_escape_string(intval($_GET['id']));

Then you can simply run a loop using mysql_fetch_assoc:

$hresult = mysql_query("
    SELECT * FROM `options` WHERE `id` = '{$id}'"
) or die(mysql_error());
echo '<ul class="ul">';
while ($row = mysql_fetch_assoc($hresult)) {
    echo '<li>' . $row['value'] . '</li>';
}
echo '</ul>';
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

For an ID, intval() would be more appropriate.
Actually, escaping is not necessary after converting to an int since there is nothing to escape in a numeric value, ever.
True, I'm just in the habit of not trusting myself to be smart enough to make that call most of the time :)
That's why it's better not to use dynamic sql at all but use e.g. PDO with prepared statements! And when that's no an option I usually do the escaping right when I build the query - you usually don't want sql-escaped variables floating around anyway, since you might accidentally send them back to the browser; presenting ugly backslashes to the user.
I am looping through include to display each file based on the settings its working fine thank you guys. and thanks for the mysql_real_escape_string very useful

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.