php/mysql SERF urls

Question

I have looked and look and I cannot get this working. I have tried to do it with .htaccess and other tries but nothing is working.

I am trying to get from new-machinery.php?Item=100 to new-machinery/Item-Name

This what I have for my product pages.

 <?php

$LimitAmt = $Amt + 1;
$Limit = "LIMIT $LimitAmt";
$NextPage = $Page + 1;
$PrevPage = $Page - 1;


$SQLCat = "";
if (strlen($Cat) > 1)
{
$SQLCat = "AND (`Category` LIKE '$Cat;%' OR `Category` LIKE '%;$Cat' OR `Category` LIKE '$Cat')";   
}


$SQL_GetEquipment = "SELECT * FROM `new_equip` WHERE `condition`='New' $SQLCat $Limit";
$R_GetEquipment = mysql_query($SQL_GetEquipment, $Link);

$name = mysql_result($result,$i,"name");
$model = mysql_result($result,$i,"model");
$manu = mysql_result($result,$i,"manu");
$desc = mysql_result($result,$i,"desc");
$imagename = mysql_result($result,$i,"image");*/

$eid = $row['id'];
$itemname = $row['itemname'];
$model = $row['model'];
$manufactuer = $row['manufactuer'];
$desc = $row['desc'];
$imagename = $row['image'];


if (!file_exists("UImages/" . $imagename) || strlen($imagename) < 5)
{
$imagename = "NoImage.jpg";
}
?>

And to display the products url I have

<a itemprop="url" href="new-product.php?Item=<?php echo $itemname; ?>"><span itemprop="name"><?php echo $itemname; ?></span></a>

Like I said, I have looked and tried everything I could find but I keep getting a 404 page.

Any help would be greatly appreciated.

What did you try with .htaccess? What does the code you're showing have to do with rewrites? — chris85, Oct 08 '15 at 01:40
Possible duplicate of [Reference: mod\_rewrite, URL rewriting and "pretty links" explained](http://stackoverflow.com/questions/20563772/reference-mod-rewrite-url-rewriting-and-pretty-links-explained) — chris85, Oct 08 '15 at 01:43
I wasn't sure if you needed to see my code to see if I was doing something wrong. — WebbieWorks, Oct 08 '15 at 01:49
What you did with the `.htaccess` would be useful and what errors/issues specifically you encountered. — chris85, Oct 08 '15 at 01:50
Also, everything I read, has it going like /product/ProductID/ I need it to be product/ProductName/. I tried following this https://www.addedbytes.com/articles/for-beginners/url-rewriting-for-beginners/ — WebbieWorks, Oct 08 '15 at 01:51
Try `href="new-product/">` then in htaccess send `^newproduct/(.*)` to `new-product.php?Item=$1` make sure you encode that `$itemname` appropriately though. Also update your driver to `PDO` or `mysqli` and use prepared statements. — chris85, Oct 08 '15 at 01:57
I tried converting to mysqli and couldn't grasp it. Had me confused. Will try your suggestion. Thank You — WebbieWorks, Oct 08 '15 at 01:59
I added RewriteEngine On RewriteRule ^new-product/(.*) new-product.php?Item=$1and the url I am getting is new-product.php?Item=Item Name, but it is blank, not pulling the — WebbieWorks, Oct 08 '15 at 02:18
What is the `-`? Did you url encode the `$itemname`? Also did you change the `href` on your page? — chris85, Oct 08 '15 at 02:27
By doing that I get the URL - new-product.php?Item=Item+Name — WebbieWorks, Oct 08 '15 at 02:31
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/91682/discussion-between-chris85-and-webbieworks). — chris85, Oct 08 '15 at 02:34

score 1 · Accepted Answer · edited May 23 '17 at 11:52

First you need to change your links to the format you want. Something like

href="new-product/<?php echo $itemname; ?>">

In your .htaccess you want something like.

RewriteRule ^new-product/(.*) new-product.php?Item=$1

The ^ is the start of the URL.
The () captures the values inside it.
The . is an character and the * is zero or more occurrences of any character. So bascially .* is equal to anything.
The $1 is the value from the first capture group. If you have 2 capture groups they are in order of appearance.

So this new-product/(.*) is the url on the back end the RewriteRule tells apache to send the request to PHP as new-product.php?Item=$1.

So in your PHP you're going to need to change your call so it checks for the name rather than the ID.

$name = mysql_real_escape_string($_GET['Item']); 
$SQL_GetEquipment = "SELECT * FROM `new_equip` WHERE `itemname`='$name' LIMIT 1;"; 
$R_GetEquipment = mysql_query($SQL_GetEquipment, $Link); 
$row = mysql_fetch_assoc($R_GetEquipment);

The fetched data doesn't need to be escaped. The escaping is so your SQL statement can't be manipulated by inserting additional characters.

The preferred approach for this is using paramaterized queries unfortunately mysql_ functions don't support that. I'd recommend you update to PDO or mysqli_ so you can take advantage of these.

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_1:_Prepared_Statements_.28Parameterized_Queries.29
http://php.net/manual/en/security.database.sql-injection.php
How can I prevent SQL injection in PHP?

If other people had the older format you'll need to make a rewrite controller. The htaccess will need to send to a PHP page that has DB access so it can pull the name from the ID, then resend it... or do a conditional check on your page and if the parameter is an integer check it by id.

You have help above and beyond. I appreciate all your help and knowledge on this. — WebbieWorks, Oct 08 '15 at 04:09

php/mysql SERF urls

1 Answers1