Hi Everyone

I am attempting to add the ability to search a online database, and I
thought that I have the code right, but apparently it's not...

Here's the problem, when I type jason in the search box and hit go
it brings me to edit.php?search=jason which displays nothing since
edit.php is looking for a record number, not a search phrase...

The end result I want, is that someone could search for "jason" and
have it display ONLY the results having "Jason" in them on the same
page. Simple right? Well my brain seems to be on vacation!

Here is the relevant code (I think...)

$search = $_GET["search"];
$self = $_SERVER['PHP_SELF'];
$qstring = "SELECT * FROM current WHERE FName like '%$qstring%' or
LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like '%
$qstring%' or City like '%$qstring%' or State like '%$qstring%' or
Zip like '%$qstring%' or XCode like '%qstring%'";
if ($search != NULL){
echo "The search string is: <strong>$search</strong>.<BR>";
$qresult= mysql_query($link, $qstring);
echo "Query completed";
}
else {
echo ('
<form action="'.$self.'" method="get">
<label>Search:
<input type="text" name="search" id="search" />
</label>
<input type="submit" value="Go!" />
</form>
');
}

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

>From: Jason Pruim <japruim@raoset.com>
>Here is the relevant code (I think...)
>
>$search = $_GET["search"];
>$self = $_SERVER['PHP_SELF'];
>$qstring = "SELECT * FROM current WHERE FName like '%$qstring%' or LName
>like '%$qstring%' or Add1 like '%$qstring%' or Add2 like '% $qstring%' or
>City like '%$qstring%' or State like '%$qstring%' or Zip like '%$qstring%'
>or XCode like '%qstring%'";

Perhaps you meant
like '%$search%'
instead of
like '%$qstring%' multiple times?

Also read http://en.wikipedia.org/wiki/SQL_injection

__________________________________________________ _______________
Gear up for Halo® 3 with free downloads and an exclusive offer.
http://gethalo3gear.com?ocid=Septemb...lo3_MSNHMTxt_1

On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:

>> From: Jason Pruim <japruim@raoset.com>
>> Here is the relevant code (I think...)
>>
>> $search = $_GET["search"];
>> $self = $_SERVER['PHP_SELF'];
>> $qstring = "SELECT * FROM current WHERE FName like '%$qstring%'
>> or LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like
>> '% $qstring%' or City like '%$qstring%' or State like '%$qstring%'
>> or Zip like '%$qstring%' or XCode like '%qstring%'";
>
> Perhaps you meant
> like '%$search%'
> instead of
> like '%$qstring%' multiple times?

Actually I did, Need to proof read my code a little bit more when I
copy/paste it from another project...

I fixed that but the problem still remains... When I preform the
search I get redirected from index.php to edit.php and can't see
where that would happen.


>
> Also read http://en.wikipedia.org/wiki/SQL_injection

I have read about SQL injection, and I will be scrubbing the data
before searching but the search is only available after logging into
the system. No one who isn't logged in can even view the page



>
> __________________________________________________ _______________
> Gear up for Halo® 3 with free downloads and an exclusive offer.
> http://gethalo3gear.com?ocid=Septemb...lo3_MSNHMTxt_1
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

[snip]
I fixed that but the problem still remains... When I preform the
search I get redirected from index.php to edit.php and can't see
where that would happen.
[/snip]

echo $qstring;

$search is not NULL because $search is equal to $_GET["search"]. $search
may be empty though.

Jason Pruim wrote:
>
> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>
>> Also read http://en.wikipedia.org/wiki/SQL_injection
>
> I have read about SQL injection, and I will be scrubbing the data before
> searching but the search is only available after logging into the
> system. No one who isn't logged in can even view the page

That couldn't be less relevant. Repeat after me... "Legitimate" users
can be malicious too. All data going into a SQL statement needs to be
escaped unless it's a hard-coded string. No exceptions. Ever.

-Stut

--
http://stut.net/

On Sep 11, 2007, at 2:10 PM, Stut wrote:

> Jason Pruim wrote:
>> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>>> Also read http://en.wikipedia.org/wiki/SQL_injection
>> I have read about SQL injection, and I will be scrubbing the data
>> before searching but the search is only available after logging
>> into the system. No one who isn't logged in can even view the page
>
> That couldn't be less relevant. Repeat after me... "Legitimate"
> users can be malicious too. All data going into a SQL statement
> needs to be escaped unless it's a hard-coded string. No exceptions.
> Ever.
>

I see what you are getting at, and I do plan to check the data before
searching the contents of the database, but I was hoping to get one
thing working at a time since I'm still learning all of this



> -Stut
>
> --
> http://stut.net/
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

On Sep 11, 2007, at 1:58 PM, Jay Blanchard wrote:

> [snip]
> I fixed that but the problem still remains... When I preform the
> search I get redirected from index.php to edit.php and can't see
> where that would happen.
> [/snip]
>
> echo $qstring;
>
> $search is not NULL because $search is equal to $_GET["search"].
> $search
> may be empty though.
>

echo $qstring; produces: SELECT * FROM current WHERE FName like '%%'
or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '%
%' or State like '%%' or Zip like '%%' or XCode like '%%' Which is
correct except for it being empty.

I tried to echo $search, but since it redirects to another page I
lose the value of $search.

Any idea what is causing it to redirect to edit.php?



--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

[snip]
echo $qstring; produces: SELECT * FROM current WHERE FName like '%%'
or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '%
%' or State like '%%' or Zip like '%%' or XCode like '%%' Which is
correct except for it being empty.

I tried to echo $search, but since it redirects to another page I
lose the value of $search.

Any idea what is causing it to redirect to edit.php?
[/snip]

I'd have to see the condition check for the redirection.