0

i want to build html sitemap with 500 link for each sitemap page. my site has more than 10,000 post.

my sitemap.php file

$sql = mysql_query("SELECT * FROM post WHERE id BETWEEN 1 AND 500" );
while($data = mysql_fetch_array($sql))
{
echo "<a href='http://".$data['url']. "'>".$data['title']. "</a>";
echo "<br>";
}

how to get another 500 post via URL parameter?

/sitemap.php?=2 or

/sitemap.php?=501&1000

Ram
  • 378
  • 4
  • 13

1 Answers1

2
/sitemap.php?=2 or
/sitemap.php?=501&1000

This won't work. You will have to use parameter names, e.g. like this:

/sitemap.php?page=2

Then get the parameter values using $_REQUEST:

$page = $_REQUEST['page'];

and perform the query accordingly:

$sql = mysql_query("SELECT * FROM post WHERE id BETWEEN " . (($page - 1) * 500) . " AND " . ($page * 500));

P.S. I know, I know... SQL injection, parameter validation, etc. That was not the point.

proskor
  • 1,342
  • 8
  • 20
  • SQL injection? This method is not safe? – Ram Aug 26 '13 at 18:50
  • This particular one is probably fine since if `$page` isn't a number, the PHP will blow up. The point that @proskor was making is that someone could pass a URL like `/sitemap.php?page=2;SELECT * FROM *`, and that would eventually get passed into $sql. In other words, manually building SQL commands is a bad habit, and you should get in the habit of using parameterized queries (http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – ernie Aug 26 '13 at 18:53
  • but i'm getting **Parse error: syntax error, unexpected T_VARIABLE on line 4** – Ram Aug 26 '13 at 19:02
  • Line 4 **$sql = mysql_query("SELECT * FROM post WHERE id BETWEEN " . (($page - 1) * 500) . " AND " . ($page * 500));** – Ram Aug 26 '13 at 19:08
  • Hmm, looks fine. Maybe missing semicolon on line 3? – proskor Aug 26 '13 at 19:09
  • @nkteam: Any time you build a SQL statement with data that comes from an untrusted source, then you're leaving yourself open to SQL injection. Learn about using parametrized queries, preferably with PDO instead of the deprecated `mysql_` functions. – Andy Lester Aug 26 '13 at 19:20
  • Yes i miss semicolon on line. Thank you @proskor. – Ram Aug 26 '13 at 19:27