how can I get to show the form in drupal and get the wildcard variable as well

Question

I have a menu item like this:

$items['property/edit/%'] = array(
    'page callback' => 'drupal_get_form',
    'page arguments' => array('property_edit_view',2),
    'access arguments' => array('access property edit page'),

    'type' => MENU_CALLBACK,
    );

now I want to get the id next to edit, '%'? and here is the function which process it.

function property_edit_view($id){
drupal_set_title("Edit the Property");
global $user;
$form = array();
dpm($id);
$sql = "SELECT * FROM {property} WHERE property_id= $id AND property_uid = $user->uid";

$result = db_query($sql);
$row = db_fetch_object($result);
$form['p_name'] = array(
'#type' => 'textfield',
'#title'=>t('Name of the Property'),
'#required'=>TRUE,
'#default_value'=>t($row->property_name),
);

return $form;
}

but i am getting an error now:

user warning: Unknown column 'Array' in 'where clause' query: SELECT * FROM property WHERE property_id= Array AND property_uid = 1 in C:\wamp\www\getting-in.com\sites\all\modules\property\property.module on line 284.

Is there any way to sort it out please?

Answer 1

Your function signature for the form builder should include &$form_state as the first parameter for Drupal 6. Any additional arguments to drupal_get_form will be passed in as additional arguments to the form builder after $form_state. For example:

function property_edit_view(&$form_state, $id) {
}

Also, your code contains a SQL injection bug as pointed out by Jonathan Rowny.

Answer 2

You need to use %d instead of using the variables directly in your SQL statement. This is to prevent SQL injection, perform validations, and attempt to allow you to use different kinds of databases. Then you provide the variables in the next argument of the db_query function. The "place holders are"

• %s, string
• %d, int
• %b, binary
• %%, actually puts a "percent" sign
• %f, float