PHP Question

How do I pass data to the PHP script from the URL?

Like "http://www.domain.com/search.php?category=5".

How do I get that "category=5" into a WHERE 'category'=5 in my SELECT statement?

Thanks!

look at the $_GET and $_POST arrays.
so, $cat = $_GET['catagory']; and you can use the value of $cat in subsiquent SQL statements.

AWESOME! It worked on the first try.

Thanks, Jesse!

be aware you might wanna filter that through a few things before you apply it to the database . . . for an example do a google search for SQL injection attacks. Basically taking user input either POST or GET you cannot trust that nothing malicious will be used so filter EVERYTHING.

ATLEAST use mysql_escape_string on any data you get from users. SQL injection attacks are not fun.

Can a hacker get the URL/IP address of my server if its hard-coded in an object? Wouldn't the LL server's be connected to my server, and not the user's SL client, right?

As far as I am aware there is no longer any way to see the text inside a script - so to the best of my knowledge, no they couldn't tackle your object and walk away with your server address.

( make sure you have removed debug etc for errors tho - that is normally one of my oversights

Secure object: Debug: Cannot access http::/blahblahblah

Always shoot myself when I do that and forget to take it out )

1. As said before, make sure you prevent SQL injections. If you're using MySQL, use mysql_real_escape_string(). Also watch out for conflicts with magic quotes (don't use magic quotes if you can avoid it). Your best option (if you're using PHP5) is to use PDO and prepared queries.

2. Yes the sim is making the http request, so the url is not exposed to users (unless your script is modifiable).

3. watch out for llHTTPRequest() throttling.

4. If you're sending lots of data, use POST, not GET. In PHP, you can grab the POST data with $HTTP_RAW_POST_DATA or file_get_contents("php://input" (might only apply to PHP running as CGI);

If one is being truly paranoid, then there is a vulnerability in that the connection from the sim. to your server goes across the open internet. Meaning a very sophisiticated (or at least very well placed) attacker could watch the traffic go by, sniff the packets and extract your URLs.

Mind you, this couldn't be done in LSL, or by objects in world. I'm talking about people with mallicious code running on your web server, or on nearby (in the network sense) servers.

To cover this one, you need to be using https. Using https with your own cert is not bad -- sniffing packets is no longer possible. But, man-in-the-middle attacks are (though, these require even more stealth and black art, like hijacking your DNS, etc...). To be as secure as possible, you need a root signed certificate.

Having said all that, unless you are xfering serious data, just doing what you're doing over http is just fine. Keep the scripts from being readable by others (don't make 'em mod.) and no one in world will be able to grab your URLs.