$tablecode = $_GET['code'];
$query = "SELECT * FROM nmr WHERE code=$tablecode";
If code/$tablecode is a string, it needs to be quoted.
Except, if you simply wrap single quotes, I'll come and do: http://domain/full.php?code=AT';DROP TABLE nmr;'
And kill all your data.
(well, I wouldn't, but an evil person might)
Unless of course you're just not showing the bit where you sanitize it, in which case I'm still going to shout at you - examples that don't use/show proper database sanitization mean that anyone who just copies and pastes the example will have code with bugs and security holes, which makes it easier for evil people to do bad things. :@
Depends how much you trust the rest of your group/etc?
Even if you trust them absolutely, I'd still getting into the habit of parametrising queries.
(Not sure about PHP, but with CFML the param-ing queries can further help performance as well, since it can cache one query execution plan for many queries, which is often more efficient.)
Oh, and whilst I'm thinking about it... since this is important data, you are backing up your database, right?
(Can be as simple as an automated mysqldump then zip the output and move somewhere.)
I want an input box where I can stick my 'code' (AT052 etc), click "Go to entry" and it takes me to fullc.php?='AT052'. This one I assume is painfully easy and really does show my lack of knowledge, or more so, what to search since I've been searching lots.
Found plenty of form code for sticking a URL in a box and going to it but I want to stick part of the URL in a box.
Well, not really. In this case it's just an internal project and it clearly doesn't matter and I'm just being pedantic. But a button with an onclick to change URLs is horrible.
Hmmm... actually you're right - should have done a form with method=get instead of the onclick stuff; I was just 'fixing' what was there, rather than thinking properly. :(
It always matters. :( An undisciplined mind leads to sloppy thinking, which leads to inefficiency and results in not having a new personal website for half a decade. :((
Um, specific things... primarily, it's easier to read (you know where you're going from the start) and more maintainable (if you wanted to add further fields, you just add the input tag - no need to change the onclick), and also it doesn't rely on JavaScript when it doesn't need to (simple things are less likely to break).
For a smallish internal app like this, the benefits are only slight, but when you get to larger apps, they become more significant. As I said, it's good to keep in the right frame of mind.