On Sep 11, 2007, at 2:32 PM, Jay Blanchard wrote:

> [snip]
> echo $qstring; produces: SELECT * FROM current WHERE FName like '%%'
> or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '%
> %' or State like '%%' or Zip like '%%' or XCode like '%%' Which is
> correct except for it being empty.
>
> I tried to echo $search, but since it redirects to another page I
> lose the value of $search.
>
> Any idea what is causing it to redirect to edit.php?
> [/snip]
>
> I'd have to see the condition check for the redirection.
>

The problem is there's not... At least there's not supposed to be.
The end result that I want is for the search results to end up on the
same page if possible... edit.php is a script I use for editing records.

Maybe I should just do it on a separate page... It might be easier
for displaying?

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

On 9/11/07, Jason Pruim <japruim@raoset.com> wrote:

> echo $qstring; produces: SELECT * FROM current WHERE FName like '%%'
> or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '%
> %' or State like '%%' or Zip like '%%' or XCode like '%%' Which is
> correct except for it being empty.
>
> I tried to echo $search, but since it redirects to another page I
> lose the value of $search.
>
> Any idea what is causing it to redirect to edit.php?

exit(); or die is your friend. echo what you want and exit() right
after. that should effectively dump what you want.

and if it doesn't something is redirecting it way before that point.

[snip]
The problem is there's not... At least there's not supposed to be.
The end result that I want is for the search results to end up on the
same page if possible... edit.php is a script I use for editing records.

Maybe I should just do it on a separate page... It might be easier
for displaying?
[/snip]

There is no redirection to edit.php? You're calling PHP_SELF so it
should not go anywhere else. Is there any mention of edit.php in the
code?

Jason Pruim wrote:
>
> On Sep 11, 2007, at 2:10 PM, Stut wrote:
>
>> Jason Pruim wrote:
>>> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>>>> Also read http://en.wikipedia.org/wiki/SQL_injection
>>> I have read about SQL injection, and I will be scrubbing the data
>>> before searching but the search is only available after logging into
>>> the system. No one who isn't logged in can even view the page
>>
>> That couldn't be less relevant. Repeat after me... "Legitimate" users
>> can be malicious too. All data going into a SQL statement needs to be
>> escaped unless it's a hard-coded string. No exceptions. Ever.
>>
>
> I see what you are getting at, and I do plan to check the data before
> searching the contents of the database, but I was hoping to get one
> thing working at a time since I'm still learning all of this

Sorry to go on about it, but security is not something you add after
you've got it working - that leads to holes. You need to bake security
right in from the start.

-Stut

--
http://stut.net/

On Sep 11, 2007, at 2:57 PM, Jay Blanchard wrote:



>
> There is no redirection to edit.php? You're calling PHP_SELF so it
> should not go anywhere else. Is there any mention of edit.php in the
> code?

Correct. PHP_SELF refers to index.php which is the page that the
search is happening on. a few lines above that there is a reference
to edit.php and here is the code for it:

Sorry for the long cut/paste, but I thought it was important to try
and provide it in context, and the line where it says :
<td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the
ONLY reference to edit.php in the entire code of that page.


//Display the info using heredoc syntax
echo <<<HTML

<tr>

<td>{$row['FName']}</td>
<td>{$row['LName']}</td>
<td>{$row['Add1']}</td>
<td>{$row['Add2']}</td>
<td>{$row['City']}</td>
<td>{$row['State']}</td>
<td>{$row['Zip']}</td>
<td>{$row['XCode']}</td>
<td>{$row['Record']}</td>
<td><a href='edit.php?Record={$row['Record']}'>Edit</a></td>
<td><a href='delete.php?Record={$row['Record']}'>Delete</a></td>
</tr>

HTML;

}
echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</
A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add
Record</A>";
echo "<P class=\"total\">Total Records: $num_rows</P></div>";

echo "</div></div>";

}
$search = $_GET['search'];
$self = $_SERVER['PHP_SELF'];
$qstring = "SELECT * FROM current WHERE FName like '%$search%' or
LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search
%' or City like '%$search%' or State like '%$search%' or Zip like '%
$search%' or XCode like '%$search%'";
echo $qstring;

if ($search != NULL){
echo "The search string is: <strong>$search</strong>.<BR>";
echo $search;
$qresult= mysql_query($link, $qstring);
echo "Query completed";
}
else {
echo ('
<form action="'.$self.'" method="get">
<label>Search:
<input type="text" name="search" id="search" />
</label>
<input type="submit" value="Go!" />
</form>
');
}

>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

On Sep 11, 2007, at 2:59 PM, Stut wrote:

> Jason Pruim wrote:
>> On Sep 11, 2007, at 2:10 PM, Stut wrote:
>>> Jason Pruim wrote:
>>>> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>>>>> Also read http://en.wikipedia.org/wiki/SQL_injection
>>>> I have read about SQL injection, and I will be scrubbing the
>>>> data before searching but the search is only available after
>>>> logging into the system. No one who isn't logged in can even
>>>> view the page
>>>
>>> That couldn't be less relevant. Repeat after me... "Legitimate"
>>> users can be malicious too. All data going into a SQL statement
>>> needs to be escaped unless it's a hard-coded string. No
>>> exceptions. Ever.
>>>
>> I see what you are getting at, and I do plan to check the data
>> before searching the contents of the database, but I was hoping to
>> get one thing working at a time since I'm still learning all of
>> this
>
> Sorry to go on about it, but security is not something you add
> after you've got it working - that leads to holes. You need to bake
> security right in from the start.
>

And thank you for hammering this into me I'm at the point of
developing my programming habits, and secure coding is a good habit
to be in. Some would say it is the only habit to be in...


> -Stut
>
> --
> http://stut.net/
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

[snip]
Correct. PHP_SELF refers to index.php which is the page that the
search is happening on. a few lines above that there is a reference
to edit.php and here is the code for it:

Sorry for the long cut/paste, but I thought it was important to try
and provide it in context, and the line where it says :
<td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the
ONLY reference to edit.php in the entire code of that page.


//Display the info using heredoc syntax
echo <<<HTML

<tr>

<td>{$row['FName']}</td>
<td>{$row['LName']}</td>
<td>{$row['Add1']}</td>
<td>{$row['Add2']}</td>
<td>{$row['City']}</td>
<td>{$row['State']}</td>
<td>{$row['Zip']}</td>
<td>{$row['XCode']}</td>
<td>{$row['Record']}</td>
<td><a
href='edit.php?Record={$row['Record']}'>Edit</a></td>
<td><a
href='delete.php?Record={$row['Record']}'>Delete</a></td>
</tr>

HTML;

}
echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</
A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add
Record</A>";
echo "<P class=\"total\">Total Records: $num_rows</P></div>";

echo "</div></div>";

}
$search = $_GET['search'];
$self = $_SERVER['PHP_SELF'];
$qstring = "SELECT * FROM current WHERE FName like '%$search%' or
LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search
%' or City like '%$search%' or State like '%$search%' or Zip like '%
$search%' or XCode like '%$search%'";
echo $qstring;

if ($search != NULL){
echo "The search string is: <strong>$search</strong>.<BR>";
echo $search;
$qresult= mysql_query($link, $qstring);
echo "Query completed";
}
else {
echo ('
<form action="'.$self.'" method="get">
<label>Search:
<input type="text" name="search" id="search" />
</label>
<input type="submit" value="Go!" />
</form>
');
}

>
[/snip]

Are you getting the output from echo "The search string is:
<strong>$search</strong>.<BR>"; or it is redirecting before that? How
long is the complete code for the page, you may have to paste all of it
or use pastebin

On Sep 11, 2007, at 3:37 PM, Jay Blanchard wrote:

> [snip]
> Correct. PHP_SELF refers to index.php which is the page that the
> search is happening on. a few lines above that there is a reference
> to edit.php and here is the code for it:
>
> Sorry for the long cut/paste, but I thought it was important to try
> and provide it in context, and the line where it says :
> <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the
> ONLY reference to edit.php in the entire code of that page.
>
>
> //Display the info using heredoc syntax
> echo <<<HTML
>
> <tr>
>
> <td>{$row['FName']}</td>
> <td>{$row['LName']}</td>
> <td>{$row['Add1']}</td>
> <td>{$row['Add2']}</td>
> <td>{$row['City']}</td>
> <td>{$row['State']}</td>
> <td>{$row['Zip']}</td>
> <td>{$row['XCode']}</td>
> <td>{$row['Record']}</td>
> <td><a
> href='edit.php?Record={$row['Record']}'>Edit</a></td>
> <td><a
> href='delete.php?Record={$row['Record']}'>Delete</a></td>
> </tr>
>
> HTML;
>
> }
> echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</
> A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add
> Record</A>";
> echo "<P class=\"total\">Total Records: $num_rows</P></div>";
>
> echo "</div></div>";
>
> }
> $search = $_GET['search'];
> $self = $_SERVER['PHP_SELF'];
> $qstring = "SELECT * FROM current WHERE FName like '%$search%' or
> LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search
> %' or City like '%$search%' or State like '%$search%' or Zip like '%
> $search%' or XCode like '%$search%'";
> echo $qstring;
>
> if ($search != NULL){
> echo "The search string is: <strong>$search</strong>.<BR>";
> echo $search;
> $qresult= mysql_query($link, $qstring);
> echo "Query completed";
> }
> else {
> echo ('
> <form action="'.$self.'" method="get">
> <label>Search:
> <input type="text" name="search" id="search" />
> </label>
> <input type="submit" value="Go!" />
> </form>
> ');
> }
>
>>
> [/snip]
>
> Are you getting the output from echo "The search string is:
> <strong>$search</strong>.<BR>"; or it is redirecting before that? How
> long is the complete code for the page, you may have to paste all
> of it
> or use pastebin
>

Total length is 293 lines.

It redirects before any output of $search is visible.
I put it up as a .txt file at: raoset.com/oldb/index.txt for anyone
who wants to see the code...

I know it repeats it's self, but I couldn't figure out how to get it
to log in and stay logged in right without doing that... If anyone
has any ideas on that as well... But that is a different issue



--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com