I have a script that I wrote to look up an ID based on uniqueID
if ($_REQUEST['uniqueId'] != ""){
$qA = "SELECT id FROM customerdata WHERE uniqueId = \"". $_REQUEST['uniqueId']."\"";
$rA = mysql_query($qA);
list($id) = mysql_fetch_row($rA);
echo $id;
exit;
if ( mysql_num_rows ($rA) > 0) {
header('Location:response-en.php?id=$id');
}
else
{
header('Location:not-found.php');
}
}
Rather than sending the user to response-en.php?id=1 it sends them to response-en.php?id=$id
Any idea why this is happening? Any help would be greatly appreciated! Thank you!
Use:
header('Location:response-en.php?id='.$id);When you use a single quote: ‘
This is a string literal. Everything (and I mean EVERYTHING) inside that string is taken wholesale. If you did this:
$something = 'Location:response-en.php?id=$id';, the value of$somethingis:Location:response-en.php?id=$idIn order to add a variable into the string, you use the concatenation operator.. Thus, the value of$somethingafter$something = 'Location:response-en.php?id='.$id;would beLocation:response-en.php?id=5(assuming $id = 5)See: http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.single
When you use double quote: “
PHP will search inside your sting to find any variables. It will then replace the variable name with the value of the variable. If you did this:
$something = "Location:response-en.php?id=$id";, the value of$somethingis:Location:response-en.php?id=5– note the use of double quotes.See: http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.double
Also, I wanted to add that your script is vulnerable to SQL-injection attack. Always sanitize query-string values before using them in an SQL query. For more info on sanitizing values for sql, see the docs for mysql_real_escape_string.