Search code examples
phpmysqlvariables

Can I use a variable from the GET_ method to fetch MySQL data?

I'm wondering if this can be done, or if is wrong:

I have a table in MySQL which contains these columns:

email_message | email_message_es | email_subject | email_subject_es

So I have this code:

$email_message = $_GET['langmess'];
$email_subject = $_GET['langsub'];

if ($payment == 'gateway1') {
        //Admin Email DATA
        $admin_mail     = mysqli_query($link, "SELECT * FROM email_template WHERE email_type = 'email_me' ");
        $admin_mailData = mysqli_fetch_array($admin_mail);
        //Variables
        $string         = $admin_mailData['$email_message'];
        $subjectmail    = $admin_mailData['$email_subject'];
        $pattern        = '/{(\w+)}/i';
        $replacement    = "$$1";
        $msnAdminbody   = preg_replace($pattern, $replacement, $string);
        eval("\$msnAdminbody = \"<html><body> " . $msnAdminbody . " </body></html>\";");

This is just part of the code, but I'm not sure if I can use a variable to get the data from MySQL, the idea is that the URL contains: http://mydomain/file.php?langmess=email_message_es&langsub=email_subject_es

or

http://mydomain/file.php?langmess=email_message&langsub=email_subject

And so, the email can be sent in the right language to the admin and to the user in the future.

Thanks a lot in advance for your help, and I'm sorry for my English.

Solution

  • It doesn't have much to do with MySQL but the problem is this:

        $string         = $admin_mailData['$email_message'];
    $subjectmail    = $admin_mailData['$email_subject'];

    With the single quotes, PHP looks for an index called literally '$email_message'. You need to remove the single quotes to retrieve the column named after the value of the variable.

        $string         = $admin_mailData[$email_message];
    $subjectmail    = $admin_mailData[$email_subject];

    That doesn't solve all of the security issues in your code by the way. A safer way to do this is something like this:

    $language_code = $_GET['lang'];

if ($payment == 'gateway1') {
    //Admin Email DATA
    $admin_mail     = mysqli_query($link, "SELECT * FROM email_template WHERE email_type = 'email_me' ");
    $admin_mailData = mysqli_fetch_array($admin_mail);
    //Variables

    switch($language_code)
    {
        case 'es':
            $string         = $admin_mailData['email_message_es'];
            $subjectmail    = $admin_mailData['email_subject_es'];
            break;
        default:
            $string         = $admin_mailData['email_message'];
            $subjectmail    = $admin_mailData['email_subject'];
            break;
    }
    $pattern        = '/{(\w+)}/i';
    $replacement    = "$$1";
    $msnAdminbody   = preg_replace($pattern, $replacement, $string);

    And the eval() is really unneccessary here and can be replaced with:

        $msnAdminbody = "<html><body> " . $msnAdminbody . " </body></html>";