PHWinfo - Afficher un message

11/09/2007, 18h34

On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:

>> From: Jason Pruim <japruim@raoset.com>
>> Here is the relevant code (I think...)
>>
>> $search = $_GET["search"];
>> $self = $_SERVER['PHP_SELF'];
>> $qstring = "SELECT * FROM current WHERE FName like '%$qstring%'
>> or LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like
>> '% $qstring%' or City like '%$qstring%' or State like '%$qstring%'
>> or Zip like '%$qstring%' or XCode like '%qstring%'";
>
> Perhaps you meant
> like '%$search%'
> instead of
> like '%$qstring%' multiple times?

Actually I did, Need to proof read my code a little bit more when I
copy/paste it from another project...

I fixed that but the problem still remains... When I preform the
search I get redirected from index.php to edit.php and can't see
where that would happen.

>
> Also read http://en.wikipedia.org/wiki/SQL_injection

I have read about SQL injection, and I will be scrubbing the data
before searching but the search is only available after logging into
the system. No one who isn't logged in can even view the page

>
> __________________________________________________ _______________
> Gear up for Halo® 3 with free downloads and an exclusive offer.
> http://gethalo3gear.com?ocid=Septemb...lo3_MSNHMTxt_1
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 18h34	#3
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote: >> From: Jason Pruim <japruim@raoset.com> >> Here is the relevant code (I think...) >> >> $search = $_GET["search"]; >> $self = $_SERVER['PHP_SELF']; >> $qstring = "SELECT * FROM current WHERE FName like '%$qstring%' >> or LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like >> '% $qstring%' or City like '%$qstring%' or State like '%$qstring%' >> or Zip like '%$qstring%' or XCode like '%qstring%'"; > > Perhaps you meant > like '%$search%' > instead of > like '%$qstring%' multiple times? Actually I did, Need to proof read my code a little bit more when I copy/paste it from another project... I fixed that but the problem still remains... When I preform the search I get redirected from index.php to edit.php and can't see where that would happen. > > Also read http://en.wikipedia.org/wiki/SQL_injection I have read about SQL injection, and I will be scrubbing the data before searching but the search is only available after logging into the system. No one who isn't logged in can even view the page > > __________________________________________________ _______________ > Gear up for Halo® 3 with free downloads and an exclusive offer. > http://gethalo3gear.com?ocid=Septemb...lo3_MSNHMTxt_1 > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com