Listing Articles for a PEAR Content Management System - Table with Articles
(Page 3 of 4 )
After the navigation panel is constructed, a static HTML table is built that will host a list of articles written by an author. The table will have both dynamic and static parts. The dynamic parts of the table will be created through the PHP code, while the static parts will be created by the HTML page itself:
This script receives a query string number from the authors page and then uses that number to retrieve data from the database tables. Because the aid or author_ID value comes from outside our application, we have to filter it. We know one thing about the author_ID, and that is that it has to be a number, otherwise it is invalid. PHP provides us with a function that evaluates a given parameter to see if it is numerical. In the code below, we use that function to see if the author_ID that has been provided is numerical. If it is not, it will crash our query and possibly create a security vulnerability.
First the code checks to see if an author_ID is sent and that it has a value, then the value is evaluated by the is_numeric() function. If it passes both tests, the value is transferred to a new variable, and at the same time filtered by the mysql_real_escape_string() function, before being used in the SQL query.
The query itself is very easy to understand. The stories table has a foreign key that links an author to a story. So if an author with an ID number three has written six articles, then all of the articles that have the number three as a foreign key will be retrieved and displayed here:
if(isset($_GET['aid'])){
if(is_numeric($_GET['aid'])){
$aid=mysql_real_escape_string($_GET['aid']);
}else{
echo "Invalid format";
}
$sql = "SELECT * FROM stories WHERE author='".$aid."'";
