SEARCHING for an answer...

11/09/2007, 18h15

Hi Everyone

I am attempting to add the ability to search a online database, and I
thought that I have the code right, but apparently it's not...

Here's the problem, when I type jason in the search box and hit go
it brings me to edit.php?search=jason which displays nothing since
edit.php is looking for a record number, not a search phrase...

The end result I want, is that someone could search for "jason" and
have it display ONLY the results having "Jason" in them on the same
page. Simple right? Well my brain seems to be on vacation!

Here is the relevant code (I think...)

$search = $_GET["search"];
$self = $_SERVER['PHP_SELF'];
$qstring = "SELECT * FROM current WHERE FName like '%$qstring%' or
LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like '%
$qstring%' or City like '%$qstring%' or State like '%$qstring%' or
Zip like '%$qstring%' or XCode like '%qstring%'";
if ($search != NULL){
echo "The search string is: <strong>$search</strong>.<BR>";
$qresult= mysql_query($link, $qstring);
echo "Query completed";
}
else {
echo ('
<form action="'.$self.'" method="get">
<label>Search:
<input type="text" name="search" id="search" />
</label>
<input type="submit" value="Go!" />
</form>
');
}

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 18h22

>From: Jason Pruim <japruim@raoset.com>
>Here is the relevant code (I think...)
>
>$search = $_GET["search"];
>$self = $_SERVER['PHP_SELF'];
>$qstring = "SELECT * FROM current WHERE FName like '%$qstring%' or LName
>like '%$qstring%' or Add1 like '%$qstring%' or Add2 like '% $qstring%' or
>City like '%$qstring%' or State like '%$qstring%' or Zip like '%$qstring%'
>or XCode like '%qstring%'";

Perhaps you meant
like '%$search%'
instead of
like '%$qstring%' multiple times?

Also read http://en.wikipedia.org/wiki/SQL_injection

__________________________________________________ _______________
Gear up for Halo® 3 with free downloads and an exclusive offer.
http://gethalo3gear.com?ocid=Septemb...lo3_MSNHMTxt_1

11/09/2007, 18h34

On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:

>> From: Jason Pruim <japruim@raoset.com>
>> Here is the relevant code (I think...)
>>
>> $search = $_GET["search"];
>> $self = $_SERVER['PHP_SELF'];
>> $qstring = "SELECT * FROM current WHERE FName like '%$qstring%'
>> or LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like
>> '% $qstring%' or City like '%$qstring%' or State like '%$qstring%'
>> or Zip like '%$qstring%' or XCode like '%qstring%'";
>
> Perhaps you meant
> like '%$search%'
> instead of
> like '%$qstring%' multiple times?

Actually I did, Need to proof read my code a little bit more when I
copy/paste it from another project...

I fixed that but the problem still remains... When I preform the
search I get redirected from index.php to edit.php and can't see
where that would happen.

>
> Also read http://en.wikipedia.org/wiki/SQL_injection

I have read about SQL injection, and I will be scrubbing the data
before searching but the search is only available after logging into
the system. No one who isn't logged in can even view the page

>
> __________________________________________________ _______________
> Gear up for Halo® 3 with free downloads and an exclusive offer.
> http://gethalo3gear.com?ocid=Septemb...lo3_MSNHMTxt_1
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 18h58

[snip]
I fixed that but the problem still remains... When I preform the
search I get redirected from index.php to edit.php and can't see
where that would happen.
[/snip]

echo $qstring;

$search is not NULL because $search is equal to $_GET["search"]. $search
may be empty though.

11/09/2007, 19h10

Jason Pruim wrote:
>
> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>
>> Also read http://en.wikipedia.org/wiki/SQL_injection
>
> I have read about SQL injection, and I will be scrubbing the data before
> searching but the search is only available after logging into the
> system. No one who isn't logged in can even view the page

That couldn't be less relevant. Repeat after me... "Legitimate" users
can be malicious too. All data going into a SQL statement needs to be
escaped unless it's a hard-coded string. No exceptions. Ever.

-Stut

--
http://stut.net/

11/09/2007, 19h27

On Sep 11, 2007, at 2:10 PM, Stut wrote:

> Jason Pruim wrote:
>> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>>> Also read http://en.wikipedia.org/wiki/SQL_injection
>> I have read about SQL injection, and I will be scrubbing the data
>> before searching but the search is only available after logging
>> into the system. No one who isn't logged in can even view the page

>
> That couldn't be less relevant. Repeat after me... "Legitimate"
> users can be malicious too. All data going into a SQL statement
> needs to be escaped unless it's a hard-coded string. No exceptions.
> Ever.
>

I see what you are getting at, and I do plan to check the data before
searching the contents of the database, but I was hoping to get one
thing working at a time since I'm still learning all of this

> -Stut
>
> --
> http://stut.net/
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 19h29

On Sep 11, 2007, at 1:58 PM, Jay Blanchard wrote:

> [snip]
> I fixed that but the problem still remains... When I preform the
> search I get redirected from index.php to edit.php and can't see
> where that would happen.
> [/snip]
>
> echo $qstring;
>
> $search is not NULL because $search is equal to $_GET["search"].
> $search
> may be empty though.
>

echo $qstring; produces: SELECT * FROM current WHERE FName like '%%'
or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '%
%' or State like '%%' or Zip like '%%' or XCode like '%%' Which is
correct except for it being empty.

I tried to echo $search, but since it redirects to another page I
lose the value of $search.

Any idea what is causing it to redirect to edit.php?

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 19h32

[snip]
echo $qstring; produces: SELECT * FROM current WHERE FName like '%%'
or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '%
%' or State like '%%' or Zip like '%%' or XCode like '%%' Which is
correct except for it being empty.

I tried to echo $search, but since it redirects to another page I
lose the value of $search.

Any idea what is causing it to redirect to edit.php?
[/snip]

I'd have to see the condition check for the redirection.

11/09/2007, 19h46

On Sep 11, 2007, at 2:32 PM, Jay Blanchard wrote:

> [snip]
> echo $qstring; produces: SELECT * FROM current WHERE FName like '%%'
> or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '%
> %' or State like '%%' or Zip like '%%' or XCode like '%%' Which is
> correct except for it being empty.
>
> I tried to echo $search, but since it redirects to another page I
> lose the value of $search.
>
> Any idea what is causing it to redirect to edit.php?
> [/snip]
>
> I'd have to see the condition check for the redirection.
>

The problem is there's not... At least there's not supposed to be.
The end result that I want is for the search results to end up on the
same page if possible... edit.php is a script I use for editing records.

Maybe I should just do it on a separate page... It might be easier
for displaying?

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 19h55

On 9/11/07, Jason Pruim <japruim@raoset.com> wrote:

> echo $qstring; produces: SELECT * FROM current WHERE FName like '%%'
> or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '%
> %' or State like '%%' or Zip like '%%' or XCode like '%%' Which is
> correct except for it being empty.
>
> I tried to echo $search, but since it redirects to another page I
> lose the value of $search.
>
> Any idea what is causing it to redirect to edit.php?

exit(); or die is your friend. echo what you want and exit() right
after. that should effectively dump what you want.

and if it doesn't something is redirecting it way before that point.

11/09/2007, 19h57

[snip]
The problem is there's not... At least there's not supposed to be.
The end result that I want is for the search results to end up on the
same page if possible... edit.php is a script I use for editing records.

Maybe I should just do it on a separate page... It might be easier
for displaying?
[/snip]

There is no redirection to edit.php? You're calling PHP_SELF so it
should not go anywhere else. Is there any mention of edit.php in the
code?

11/09/2007, 19h59

Jason Pruim wrote:
>
> On Sep 11, 2007, at 2:10 PM, Stut wrote:
>
>> Jason Pruim wrote:
>>> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>>>> Also read http://en.wikipedia.org/wiki/SQL_injection
>>> I have read about SQL injection, and I will be scrubbing the data
>>> before searching but the search is only available after logging into
>>> the system. No one who isn't logged in can even view the page

>>
>> That couldn't be less relevant. Repeat after me... "Legitimate" users
>> can be malicious too. All data going into a SQL statement needs to be
>> escaped unless it's a hard-coded string. No exceptions. Ever.
>>
>
> I see what you are getting at, and I do plan to check the data before
> searching the contents of the database, but I was hoping to get one
> thing working at a time since I'm still learning all of this

Sorry to go on about it, but security is not something you add after
you've got it working - that leads to holes. You need to bake security
right in from the start.

-Stut

--
http://stut.net/

11/09/2007, 20h20

On Sep 11, 2007, at 2:57 PM, Jay Blanchard wrote:

>
> There is no redirection to edit.php? You're calling PHP_SELF so it
> should not go anywhere else. Is there any mention of edit.php in the
> code?

Correct. PHP_SELF refers to index.php which is the page that the
search is happening on. a few lines above that there is a reference
to edit.php and here is the code for it:

Sorry for the long cut/paste, but I thought it was important to try
and provide it in context, and the line where it says :
<td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the
ONLY reference to edit.php in the entire code of that page.

//Display the info using heredoc syntax
echo <<<HTML

<tr>

<td>{$row['FName']}</td>
<td>{$row['LName']}</td>
<td>{$row['Add1']}</td>
<td>{$row['Add2']}</td>
<td>{$row['City']}</td>
<td>{$row['State']}</td>
<td>{$row['Zip']}</td>
<td>{$row['XCode']}</td>
<td>{$row['Record']}</td>
<td><a href='edit.php?Record={$row['Record']}'>Edit</a></td>
<td><a href='delete.php?Record={$row['Record']}'>Delete</a></td>
</tr>

HTML;

}
echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</
A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add
Record</A>";
echo "<P class=\"total\">Total Records: $num_rows</P></div>";

echo "</div></div>";

}
$search = $_GET['search'];
$self = $_SERVER['PHP_SELF'];
$qstring = "SELECT * FROM current WHERE FName like '%$search%' or
LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search
%' or City like '%$search%' or State like '%$search%' or Zip like '%
$search%' or XCode like '%$search%'";
echo $qstring;

if ($search != NULL){
echo "The search string is: <strong>$search</strong>.<BR>";
echo $search;
$qresult= mysql_query($link, $qstring);
echo "Query completed";
}
else {
echo ('
<form action="'.$self.'" method="get">
<label>Search:
<input type="text" name="search" id="search" />
</label>
<input type="submit" value="Go!" />
</form>
');
}

>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 20h21

On Sep 11, 2007, at 2:59 PM, Stut wrote:

> Jason Pruim wrote:
>> On Sep 11, 2007, at 2:10 PM, Stut wrote:
>>> Jason Pruim wrote:
>>>> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
>>>>> Also read http://en.wikipedia.org/wiki/SQL_injection
>>>> I have read about SQL injection, and I will be scrubbing the
>>>> data before searching but the search is only available after
>>>> logging into the system. No one who isn't logged in can even
>>>> view the page

>>>
>>> That couldn't be less relevant. Repeat after me... "Legitimate"
>>> users can be malicious too. All data going into a SQL statement
>>> needs to be escaped unless it's a hard-coded string. No
>>> exceptions. Ever.
>>>
>> I see what you are getting at, and I do plan to check the data
>> before searching the contents of the database, but I was hoping to
>> get one thing working at a time since I'm still learning all of
>> this

>
> Sorry to go on about it, but security is not something you add
> after you've got it working - that leads to holes. You need to bake
> security right in from the start.
>

And thank you for hammering this into me

I'm at the point of
developing my programming habits, and secure coding is a good habit
to be in. Some would say it is the only habit to be in...

> -Stut
>
> --
> http://stut.net/
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 20h37

[snip]
Correct. PHP_SELF refers to index.php which is the page that the
search is happening on. a few lines above that there is a reference
to edit.php and here is the code for it:

Sorry for the long cut/paste, but I thought it was important to try
and provide it in context, and the line where it says :
<td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the
ONLY reference to edit.php in the entire code of that page.

//Display the info using heredoc syntax
echo <<<HTML

<tr>

<td>{$row['FName']}</td>
<td>{$row['LName']}</td>
<td>{$row['Add1']}</td>
<td>{$row['Add2']}</td>
<td>{$row['City']}</td>
<td>{$row['State']}</td>
<td>{$row['Zip']}</td>
<td>{$row['XCode']}</td>
<td>{$row['Record']}</td>
<td><a
href='edit.php?Record={$row['Record']}'>Edit</a></td>
<td><a
href='delete.php?Record={$row['Record']}'>Delete</a></td>
</tr>

HTML;

}
echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</
A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add
Record</A>";
echo "<P class=\"total\">Total Records: $num_rows</P></div>";

echo "</div></div>";

}
$search = $_GET['search'];
$self = $_SERVER['PHP_SELF'];
$qstring = "SELECT * FROM current WHERE FName like '%$search%' or
LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search
%' or City like '%$search%' or State like '%$search%' or Zip like '%
$search%' or XCode like '%$search%'";
echo $qstring;

if ($search != NULL){
echo "The search string is: <strong>$search</strong>.<BR>";
echo $search;
$qresult= mysql_query($link, $qstring);
echo "Query completed";
}
else {
echo ('
<form action="'.$self.'" method="get">
<label>Search:
<input type="text" name="search" id="search" />
</label>
<input type="submit" value="Go!" />
</form>
');
}

>
[/snip]

Are you getting the output from echo "The search string is:
<strong>$search</strong>.<BR>"; or it is redirecting before that? How
long is the complete code for the page, you may have to paste all of it
or use pastebin

11/09/2007, 20h42

On Sep 11, 2007, at 3:37 PM, Jay Blanchard wrote:

> [snip]
> Correct. PHP_SELF refers to index.php which is the page that the
> search is happening on. a few lines above that there is a reference
> to edit.php and here is the code for it:
>
> Sorry for the long cut/paste, but I thought it was important to try
> and provide it in context, and the line where it says :
> <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the
> ONLY reference to edit.php in the entire code of that page.
>
>
> //Display the info using heredoc syntax
> echo <<<HTML
>
> <tr>
>
> <td>{$row['FName']}</td>
> <td>{$row['LName']}</td>
> <td>{$row['Add1']}</td>
> <td>{$row['Add2']}</td>
> <td>{$row['City']}</td>
> <td>{$row['State']}</td>
> <td>{$row['Zip']}</td>
> <td>{$row['XCode']}</td>
> <td>{$row['Record']}</td>
> <td><a
> href='edit.php?Record={$row['Record']}'>Edit</a></td>
> <td><a
> href='delete.php?Record={$row['Record']}'>Delete</a></td>
> </tr>
>
> HTML;
>
> }
> echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</
> A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add
> Record</A>";
> echo "<P class=\"total\">Total Records: $num_rows</P></div>";
>
> echo "</div></div>";
>
> }
> $search = $_GET['search'];
> $self = $_SERVER['PHP_SELF'];
> $qstring = "SELECT * FROM current WHERE FName like '%$search%' or
> LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search
> %' or City like '%$search%' or State like '%$search%' or Zip like '%
> $search%' or XCode like '%$search%'";
> echo $qstring;
>
> if ($search != NULL){
> echo "The search string is: <strong>$search</strong>.<BR>";
> echo $search;
> $qresult= mysql_query($link, $qstring);
> echo "Query completed";
> }
> else {
> echo ('
> <form action="'.$self.'" method="get">
> <label>Search:
> <input type="text" name="search" id="search" />
> </label>
> <input type="submit" value="Go!" />
> </form>
> ');
> }
>
>>
> [/snip]
>
> Are you getting the output from echo "The search string is:
> <strong>$search</strong>.<BR>"; or it is redirecting before that? How
> long is the complete code for the page, you may have to paste all
> of it
> or use pastebin
>

Total length is 293 lines.

It redirects before any output of $search is visible.
I put it up as a .txt file at: raoset.com/oldb/index.txt for anyone
who wants to see the code...

I know it repeats it's self, but I couldn't figure out how to get it
to log in and stay logged in right without doing that... If anyone
has any ideas on that as well... But that is a different issue

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 20h58

On Sep 11, 2007, at 3:58 PM, Robert Cummings wrote:

> On Tue, 2007-09-11 at 15:42 -0400, Jason Pruim wrote:
>> It redirects before any output of $search is visible.
>> I put it up as a .txt file at: raoset.com/oldb/index.txt for anyone
>> who wants to see the code...
>
> I took a look and now I can't get my eyes to stop bleeding. The
> horror,
> the horror! Mixed PHP/HTML is yucky

I know it's a bit of a mess now that I'm looking at it... The whole
project has been done as a learning experience for me, And I have
learned alot. NOW I just need to figure out how I am going to display
the pages (I think use a .php extension and heredoc to serve up the
HTML) and go through and convert it all over to a much nicer
syntax...

> --
> .................................................. .........
> SwarmBuy.com - http://www.swarmbuy.com
>
> Leveraging the buying power of the masses!
> .................................................. .........
>

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 20h59

[snip]
> <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the
> ONLY reference to edit.php in the entire code of that page.
[/snip]

No it isn't. edit.php shows up a couple of times, not the least of which
is row 218;

echo "<form method='GET' action='edit.php'>";

Do you know where the closing form tag is for this? Line 288. If you
look at your source with the search form in place you will see that it
calls edit.php as your action. You left out a closing form tag
somewhere.

11/09/2007, 21h01

On Sep 11, 2007, at 3:59 PM, Jay Blanchard wrote:

> [snip]
>> <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the
>> ONLY reference to edit.php in the entire code of that page.
> [/snip]
>
> No it isn't. edit.php shows up a couple of times, not the least of
> which
> is row 218;
>
> echo "<form method='GET' action='edit.php'>";
>
> Do you know where the closing form tag is for this? Line 288. If you
> look at your source with the search form in place you will see that it
> calls edit.php as your action. You left out a closing form tag
> somewhere.
>

Son of a Bitch... Soon as I closed that down at line 265 the search
now isn't redirecting to edit.php.... Do you debug by hand? Or do you
have something that s you to do that? I've been tearing my hair
out for hours trying to find that and I couldn't see it...

--

Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@raoset.com

11/09/2007, 21h14

[snip]
Son of a Bitch... Soon as I closed that down at line 265 the search
now isn't redirecting to edit.php.... Do you debug by hand? Or do you
have something that s you to do that? I've been tearing my hair
out for hours trying to find that and I couldn't see it...
[/snip]

Debugged by hand. And I never tried to load in a browser.

1. Searched for edit.php in the file to make sure it appeared nowhere
else.
2. When I found the form call I looked for the closing form tag. None
found till after your search query. BINGO! Knew that if you viewed the
source that your opening form tag (subsequent ones get ignored, you must
close each form tag first) would have an action of edit.php, not
PHP_SELF

Now, I am old school and your code had reasonable whitespace and
indentations...BUT NO COMMENTS! Well some, but not enough...you never
explain the logic, just things like // Show your login form here. YOU
MUST EXPLAIN THE LOGIC OR YOU WILL HAVE PROBLEMS MAINTAINING THE CODE 2
WEEKS FROM NOW MUCH LESS 2 MONTHS FROM NOW.

So Jason you learned three valuable lessons today.

a. plan your code (use paper and pencil or something like it)
b. always account for security
c. comment properly

Now, here is something you can do for a project; create a file parser
that will look for all opening/closing tag pairs. I did not need one in
this short code, but had it been longer I might have thrown something
like this at it.

11/09/2007, 23h48

Jay Blanchard wrote:
>
> So Jason you learned three valuable lessons today.
>
> a. plan your code (use paper and pencil or something like it)
> b. always account for security
> c. comment properly
>

I'll add two more:

d: Check the source that your script outputs. Send it to the W3C
validator (WebDeveloper Firefox extension is one of your bestest ever
friends).

e: (my personal opinion) Using echo() to spit out HTML will lead to
*much* heartache and gnashing of teeth. Put a closing PHP tag ("?>") in
there and let the parser spit out the markup without echo().

either:

-- snip --
while($row = mysql_fetch_assoc($result))
{
?>
<tr>
<td><?= $row['FName'] ?></td>
<td><?= $row['LName'] ?></td>
<td><?= $row['Add1'] ?></td>
....
<?php
}
-- snip --

or:

-- snip --
while($row = mysql_fetch_assoc($result))
{
?>
<tr>
<td><?php echo $row['FName'] ?></td>
<td><?php echo $row['LName'] ?></td>
<td><?php echo $row['Add1'] ?></td>
....
<?php
}
-- snip --

or, as i said, use a template system.

brian

11/09/2007, 23h52

On 9/11/07, brian <phplist@subtropolix.org> wrote:
> e: (my personal opinion) Using echo() to spit out HTML will lead to
> *much* heartache and gnashing of teeth. Put a closing PHP tag ("?>") in
> there and let the parser spit out the markup without echo().

i think this is quite opposite. i prefer echo'ing everything. it
allows me to indent the code perfectly in the right nested places. i
hate inline php/html mixes.

> or, as i said, use a template system.

a good presentation layer is always a good idea

11/09/2007, 18h15	#1
Jason Pruim Messages: n/a Hébergeur:	SEARCHING for an answer... Hi Everyone I am attempting to add the ability to search a online database, and I thought that I have the code right, but apparently it's not... Here's the problem, when I type jason in the search box and hit go it brings me to edit.php?search=jason which displays nothing since edit.php is looking for a record number, not a search phrase... The end result I want, is that someone could search for "jason" and have it display ONLY the results having "Jason" in them on the same page. Simple right? Well my brain seems to be on vacation! Here is the relevant code (I think...) $search = $_GET["search"]; $self = $_SERVER['PHP_SELF']; $qstring = "SELECT * FROM current WHERE FName like '%$qstring%' or LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like '% $qstring%' or City like '%$qstring%' or State like '%$qstring%' or Zip like '%$qstring%' or XCode like '%qstring%'"; if ($search != NULL){ echo "The search string is: <strong>$search</strong>.<BR>"; $qresult= mysql_query($link, $qstring); echo "Query completed"; } else { echo (' <form action="'.$self.'" method="get"> <label>Search: <input type="text" name="search" id="search" /> </label> <input type="submit" value="Go!" /> </form> '); } -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 18h22	#2
Instruct ICC Messages: n/a Hébergeur:	RE: [PHP] SEARCHING for an answer... >From: Jason Pruim <japruim@raoset.com> >Here is the relevant code (I think...) > >$search = $_GET["search"]; >$self = $_SERVER['PHP_SELF']; >$qstring = "SELECT * FROM current WHERE FName like '%$qstring%' or LName >like '%$qstring%' or Add1 like '%$qstring%' or Add2 like '% $qstring%' or >City like '%$qstring%' or State like '%$qstring%' or Zip like '%$qstring%' >or XCode like '%qstring%'"; Perhaps you meant like '%$search%' instead of like '%$qstring%' multiple times? Also read http://en.wikipedia.org/wiki/SQL_injection __________________________________________________ _______________ Gear up for Halo® 3 with free downloads and an exclusive offer. http://gethalo3gear.com?ocid=Septemb...lo3_MSNHMTxt_1

11/09/2007, 18h34	#3
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote: >> From: Jason Pruim <japruim@raoset.com> >> Here is the relevant code (I think...) >> >> $search = $_GET["search"]; >> $self = $_SERVER['PHP_SELF']; >> $qstring = "SELECT * FROM current WHERE FName like '%$qstring%' >> or LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like >> '% $qstring%' or City like '%$qstring%' or State like '%$qstring%' >> or Zip like '%$qstring%' or XCode like '%qstring%'"; > > Perhaps you meant > like '%$search%' > instead of > like '%$qstring%' multiple times? Actually I did, Need to proof read my code a little bit more when I copy/paste it from another project... I fixed that but the problem still remains... When I preform the search I get redirected from index.php to edit.php and can't see where that would happen. > > Also read http://en.wikipedia.org/wiki/SQL_injection I have read about SQL injection, and I will be scrubbing the data before searching but the search is only available after logging into the system. No one who isn't logged in can even view the page > > __________________________________________________ _______________ > Gear up for Halo® 3 with free downloads and an exclusive offer. > http://gethalo3gear.com?ocid=Septemb...lo3_MSNHMTxt_1 > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 18h58	#4
Jay Blanchard Messages: n/a Hébergeur:	RE: [PHP] SEARCHING for an answer... [snip] I fixed that but the problem still remains... When I preform the search I get redirected from index.php to edit.php and can't see where that would happen. [/snip] echo $qstring; $search is not NULL because $search is equal to $_GET["search"]. $search may be empty though.

11/09/2007, 19h10	#5
Stut Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... Jason Pruim wrote: > > On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote: > >> Also read http://en.wikipedia.org/wiki/SQL_injection > > I have read about SQL injection, and I will be scrubbing the data before > searching but the search is only available after logging into the > system. No one who isn't logged in can even view the page That couldn't be less relevant. Repeat after me... "Legitimate" users can be malicious too. All data going into a SQL statement needs to be escaped unless it's a hard-coded string. No exceptions. Ever. -Stut -- http://stut.net/

11/09/2007, 19h27	#6
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 2:10 PM, Stut wrote: > Jason Pruim wrote: >> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote: >>> Also read http://en.wikipedia.org/wiki/SQL_injection >> I have read about SQL injection, and I will be scrubbing the data >> before searching but the search is only available after logging >> into the system. No one who isn't logged in can even view the page > > That couldn't be less relevant. Repeat after me... "Legitimate" > users can be malicious too. All data going into a SQL statement > needs to be escaped unless it's a hard-coded string. No exceptions. > Ever. > I see what you are getting at, and I do plan to check the data before searching the contents of the database, but I was hoping to get one thing working at a time since I'm still learning all of this > -Stut > > -- > http://stut.net/ > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 19h29	#7
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 1:58 PM, Jay Blanchard wrote: > [snip] > I fixed that but the problem still remains... When I preform the > search I get redirected from index.php to edit.php and can't see > where that would happen. > [/snip] > > echo $qstring; > > $search is not NULL because $search is equal to $_GET["search"]. > $search > may be empty though. > echo $qstring; produces: SELECT * FROM current WHERE FName like '%%' or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '% %' or State like '%%' or Zip like '%%' or XCode like '%%' Which is correct except for it being empty. I tried to echo $search, but since it redirects to another page I lose the value of $search. Any idea what is causing it to redirect to edit.php? -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 19h32	#8
Jay Blanchard Messages: n/a Hébergeur:	RE: [PHP] SEARCHING for an answer... [snip] echo $qstring; produces: SELECT * FROM current WHERE FName like '%%' or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '% %' or State like '%%' or Zip like '%%' or XCode like '%%' Which is correct except for it being empty. I tried to echo $search, but since it redirects to another page I lose the value of $search. Any idea what is causing it to redirect to edit.php? [/snip] I'd have to see the condition check for the redirection.

11/09/2007, 19h46	#9
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 2:32 PM, Jay Blanchard wrote: > [snip] > echo $qstring; produces: SELECT * FROM current WHERE FName like '%%' > or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '% > %' or State like '%%' or Zip like '%%' or XCode like '%%' Which is > correct except for it being empty. > > I tried to echo $search, but since it redirects to another page I > lose the value of $search. > > Any idea what is causing it to redirect to edit.php? > [/snip] > > I'd have to see the condition check for the redirection. > The problem is there's not... At least there's not supposed to be. The end result that I want is for the search results to end up on the same page if possible... edit.php is a script I use for editing records. Maybe I should just do it on a separate page... It might be easier for displaying? -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 19h55	#10
mike Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On 9/11/07, Jason Pruim <japruim@raoset.com> wrote: > echo $qstring; produces: SELECT * FROM current WHERE FName like '%%' > or LName like '%%' or Add1 like '%%' or Add2 like '%%' or City like '% > %' or State like '%%' or Zip like '%%' or XCode like '%%' Which is > correct except for it being empty. > > I tried to echo $search, but since it redirects to another page I > lose the value of $search. > > Any idea what is causing it to redirect to edit.php? exit(); or die is your friend. echo what you want and exit() right after. that should effectively dump what you want. and if it doesn't something is redirecting it way before that point.

11/09/2007, 19h57	#11
Jay Blanchard Messages: n/a Hébergeur:	RE: [PHP] SEARCHING for an answer... [snip] The problem is there's not... At least there's not supposed to be. The end result that I want is for the search results to end up on the same page if possible... edit.php is a script I use for editing records. Maybe I should just do it on a separate page... It might be easier for displaying? [/snip] There is no redirection to edit.php? You're calling PHP_SELF so it should not go anywhere else. Is there any mention of edit.php in the code?

11/09/2007, 19h59	#12
Stut Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... Jason Pruim wrote: > > On Sep 11, 2007, at 2:10 PM, Stut wrote: > >> Jason Pruim wrote: >>> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote: >>>> Also read http://en.wikipedia.org/wiki/SQL_injection >>> I have read about SQL injection, and I will be scrubbing the data >>> before searching but the search is only available after logging into >>> the system. No one who isn't logged in can even view the page >> >> That couldn't be less relevant. Repeat after me... "Legitimate" users >> can be malicious too. All data going into a SQL statement needs to be >> escaped unless it's a hard-coded string. No exceptions. Ever. >> > > I see what you are getting at, and I do plan to check the data before > searching the contents of the database, but I was hoping to get one > thing working at a time since I'm still learning all of this Sorry to go on about it, but security is not something you add after you've got it working - that leads to holes. You need to bake security right in from the start. -Stut -- http://stut.net/

11/09/2007, 20h20	#13
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 2:57 PM, Jay Blanchard wrote: > > There is no redirection to edit.php? You're calling PHP_SELF so it > should not go anywhere else. Is there any mention of edit.php in the > code? Correct. PHP_SELF refers to index.php which is the page that the search is happening on. a few lines above that there is a reference to edit.php and here is the code for it: Sorry for the long cut/paste, but I thought it was important to try and provide it in context, and the line where it says : <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the ONLY reference to edit.php in the entire code of that page. //Display the info using heredoc syntax echo <<<HTML <tr> <td>{$row['FName']}</td> <td>{$row['LName']}</td> <td>{$row['Add1']}</td> <td>{$row['Add2']}</td> <td>{$row['City']}</td> <td>{$row['State']}</td> <td>{$row['Zip']}</td> <td>{$row['XCode']}</td> <td>{$row['Record']}</td> <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> <td><a href='delete.php?Record={$row['Record']}'>Delete</a></td> </tr> HTML; } echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</ A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add Record</A>"; echo "<P class=\"total\">Total Records: $num_rows</P></div>"; echo "</div></div>"; } $search = $_GET['search']; $self = $_SERVER['PHP_SELF']; $qstring = "SELECT * FROM current WHERE FName like '%$search%' or LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search %' or City like '%$search%' or State like '%$search%' or Zip like '% $search%' or XCode like '%$search%'"; echo $qstring; if ($search != NULL){ echo "The search string is: <strong>$search</strong>.<BR>"; echo $search; $qresult= mysql_query($link, $qstring); echo "Query completed"; } else { echo (' <form action="'.$self.'" method="get"> <label>Search: <input type="text" name="search" id="search" /> </label> <input type="submit" value="Go!" /> </form> '); } > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 20h21	#14
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 2:59 PM, Stut wrote: > Jason Pruim wrote: >> On Sep 11, 2007, at 2:10 PM, Stut wrote: >>> Jason Pruim wrote: >>>> On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote: >>>>> Also read http://en.wikipedia.org/wiki/SQL_injection >>>> I have read about SQL injection, and I will be scrubbing the >>>> data before searching but the search is only available after >>>> logging into the system. No one who isn't logged in can even >>>> view the page >>> >>> That couldn't be less relevant. Repeat after me... "Legitimate" >>> users can be malicious too. All data going into a SQL statement >>> needs to be escaped unless it's a hard-coded string. No >>> exceptions. Ever. >>> >> I see what you are getting at, and I do plan to check the data >> before searching the contents of the database, but I was hoping to >> get one thing working at a time since I'm still learning all of >> this > > Sorry to go on about it, but security is not something you add > after you've got it working - that leads to holes. You need to bake > security right in from the start. > And thank you for hammering this into me I'm at the point of developing my programming habits, and secure coding is a good habit to be in. Some would say it is the only habit to be in... > -Stut > > -- > http://stut.net/ > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 20h37	#15
Jay Blanchard Messages: n/a Hébergeur:	RE: [PHP] SEARCHING for an answer... [snip] Correct. PHP_SELF refers to index.php which is the page that the search is happening on. a few lines above that there is a reference to edit.php and here is the code for it: Sorry for the long cut/paste, but I thought it was important to try and provide it in context, and the line where it says : <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the ONLY reference to edit.php in the entire code of that page. //Display the info using heredoc syntax echo <<<HTML <tr> <td>{$row['FName']}</td> <td>{$row['LName']}</td> <td>{$row['Add1']}</td> <td>{$row['Add2']}</td> <td>{$row['City']}</td> <td>{$row['State']}</td> <td>{$row['Zip']}</td> <td>{$row['XCode']}</td> <td>{$row['Record']}</td> <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> <td><a href='delete.php?Record={$row['Record']}'>Delete</a></td> </tr> HTML; } echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</ A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add Record</A>"; echo "<P class=\"total\">Total Records: $num_rows</P></div>"; echo "</div></div>"; } $search = $_GET['search']; $self = $_SERVER['PHP_SELF']; $qstring = "SELECT * FROM current WHERE FName like '%$search%' or LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search %' or City like '%$search%' or State like '%$search%' or Zip like '% $search%' or XCode like '%$search%'"; echo $qstring; if ($search != NULL){ echo "The search string is: <strong>$search</strong>.<BR>"; echo $search; $qresult= mysql_query($link, $qstring); echo "Query completed"; } else { echo (' <form action="'.$self.'" method="get"> <label>Search: <input type="text" name="search" id="search" /> </label> <input type="submit" value="Go!" /> </form> '); } > [/snip] Are you getting the output from echo "The search string is: <strong>$search</strong>.<BR>"; or it is redirecting before that? How long is the complete code for the page, you may have to paste all of it or use pastebin

11/09/2007, 20h42	#16
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 3:37 PM, Jay Blanchard wrote: > [snip] > Correct. PHP_SELF refers to index.php which is the page that the > search is happening on. a few lines above that there is a reference > to edit.php and here is the code for it: > > Sorry for the long cut/paste, but I thought it was important to try > and provide it in context, and the line where it says : > <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the > ONLY reference to edit.php in the entire code of that page. > > > //Display the info using heredoc syntax > echo <<<HTML > > <tr> > > <td>{$row['FName']}</td> > <td>{$row['LName']}</td> > <td>{$row['Add1']}</td> > <td>{$row['Add2']}</td> > <td>{$row['City']}</td> > <td>{$row['State']}</td> > <td>{$row['Zip']}</td> > <td>{$row['XCode']}</td> > <td>{$row['Record']}</td> > <td><a > href='edit.php?Record={$row['Record']}'>Edit</a></td> > <td><a > href='delete.php?Record={$row['Record']}'>Delete</a></td> > </tr> > > HTML; > > } > echo "<div class=\"nav\"><A Href=\"excelexport.php\">Export to Excel</ > A><BR><A href=\"logout.php\">Logout</A><BR><a href=\"add.shtml\">Add > Record</A>"; > echo "<P class=\"total\">Total Records: $num_rows</P></div>"; > > echo "</div></div>"; > > } > $search = $_GET['search']; > $self = $_SERVER['PHP_SELF']; > $qstring = "SELECT * FROM current WHERE FName like '%$search%' or > LName like '%$search%' or Add1 like '%$search%' or Add2 like '%$search > %' or City like '%$search%' or State like '%$search%' or Zip like '% > $search%' or XCode like '%$search%'"; > echo $qstring; > > if ($search != NULL){ > echo "The search string is: <strong>$search</strong>.<BR>"; > echo $search; > $qresult= mysql_query($link, $qstring); > echo "Query completed"; > } > else { > echo (' > <form action="'.$self.'" method="get"> > <label>Search: > <input type="text" name="search" id="search" /> > </label> > <input type="submit" value="Go!" /> > </form> > '); > } > >> > [/snip] > > Are you getting the output from echo "The search string is: > <strong>$search</strong>.<BR>"; or it is redirecting before that? How > long is the complete code for the page, you may have to paste all > of it > or use pastebin > Total length is 293 lines. It redirects before any output of $search is visible. I put it up as a .txt file at: raoset.com/oldb/index.txt for anyone who wants to see the code... I know it repeats it's self, but I couldn't figure out how to get it to log in and stay logged in right without doing that... If anyone has any ideas on that as well... But that is a different issue -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 20h58	#17
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 3:58 PM, Robert Cummings wrote: > On Tue, 2007-09-11 at 15:42 -0400, Jason Pruim wrote: >> It redirects before any output of $search is visible. >> I put it up as a .txt file at: raoset.com/oldb/index.txt for anyone >> who wants to see the code... > > I took a look and now I can't get my eyes to stop bleeding. The > horror, > the horror! Mixed PHP/HTML is yucky I know it's a bit of a mess now that I'm looking at it... The whole project has been done as a learning experience for me, And I have learned alot. NOW I just need to figure out how I am going to display the pages (I think use a .php extension and heredoc to serve up the HTML) and go through and convert it all over to a much nicer syntax... > -- > .................................................. ......... > SwarmBuy.com - http://www.swarmbuy.com > > Leveraging the buying power of the masses! > .................................................. ......... > -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 20h59	#18
Jay Blanchard Messages: n/a Hébergeur:	RE: [PHP] SEARCHING for an answer... [snip] > <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the > ONLY reference to edit.php in the entire code of that page. [/snip] No it isn't. edit.php shows up a couple of times, not the least of which is row 218; echo "<form method='GET' action='edit.php'>"; Do you know where the closing form tag is for this? Line 288. If you look at your source with the search form in place you will see that it calls edit.php as your action. You left out a closing form tag somewhere.

11/09/2007, 21h01	#19
Jason Pruim Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On Sep 11, 2007, at 3:59 PM, Jay Blanchard wrote: > [snip] >> <td><a href='edit.php?Record={$row['Record']}'>Edit</a></td> is the >> ONLY reference to edit.php in the entire code of that page. > [/snip] > > No it isn't. edit.php shows up a couple of times, not the least of > which > is row 218; > > echo "<form method='GET' action='edit.php'>"; > > Do you know where the closing form tag is for this? Line 288. If you > look at your source with the search form in place you will see that it > calls edit.php as your action. You left out a closing form tag > somewhere. > Son of a Bitch... Soon as I closed that down at line 265 the search now isn't redirecting to edit.php.... Do you debug by hand? Or do you have something that s you to do that? I've been tearing my hair out for hours trying to find that and I couldn't see it... -- Jason Pruim Raoset Inc. Technology Manager MQC Specialist 3251 132nd ave Holland, MI, 49424 www.raoset.com japruim@raoset.com

11/09/2007, 21h14	#20
Jay Blanchard Messages: n/a Hébergeur:	RE: [PHP] SEARCHING for an answer... [snip] Son of a Bitch... Soon as I closed that down at line 265 the search now isn't redirecting to edit.php.... Do you debug by hand? Or do you have something that s you to do that? I've been tearing my hair out for hours trying to find that and I couldn't see it... [/snip] Debugged by hand. And I never tried to load in a browser. 1. Searched for edit.php in the file to make sure it appeared nowhere else. 2. When I found the form call I looked for the closing form tag. None found till after your search query. BINGO! Knew that if you viewed the source that your opening form tag (subsequent ones get ignored, you must close each form tag first) would have an action of edit.php, not PHP_SELF Now, I am old school and your code had reasonable whitespace and indentations...BUT NO COMMENTS! Well some, but not enough...you never explain the logic, just things like // Show your login form here. YOU MUST EXPLAIN THE LOGIC OR YOU WILL HAVE PROBLEMS MAINTAINING THE CODE 2 WEEKS FROM NOW MUCH LESS 2 MONTHS FROM NOW. So Jason you learned three valuable lessons today. a. plan your code (use paper and pencil or something like it) b. always account for security c. comment properly Now, here is something you can do for a project; create a file parser that will look for all opening/closing tag pairs. I did not need one in this short code, but had it been longer I might have thrown something like this at it.

11/09/2007, 23h48	#21
brian Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... Jay Blanchard wrote: > > So Jason you learned three valuable lessons today. > > a. plan your code (use paper and pencil or something like it) > b. always account for security > c. comment properly > I'll add two more: d: Check the source that your script outputs. Send it to the W3C validator (WebDeveloper Firefox extension is one of your bestest ever friends). e: (my personal opinion) Using echo() to spit out HTML will lead to much heartache and gnashing of teeth. Put a closing PHP tag ("?>") in there and let the parser spit out the markup without echo(). either: -- snip -- while($row = mysql_fetch_assoc($result)) { ?> <tr> <td><?= $row['FName'] ?></td> <td><?= $row['LName'] ?></td> <td><?= $row['Add1'] ?></td> .... <?php } -- snip -- or: -- snip -- while($row = mysql_fetch_assoc($result)) { ?> <tr> <td><?php echo $row['FName'] ?></td> <td><?php echo $row['LName'] ?></td> <td><?php echo $row['Add1'] ?></td> .... <?php } -- snip -- or, as i said, use a template system. brian

11/09/2007, 23h52	#22
mike Messages: n/a Hébergeur:	Re: [PHP] SEARCHING for an answer... On 9/11/07, brian <phplist@subtropolix.org> wrote: > e: (my personal opinion) Using echo() to spit out HTML will lead to > much heartache and gnashing of teeth. Put a closing PHP tag ("?>") in > there and let the parser spit out the markup without echo(). i think this is quite opposite. i prefer echo'ing everything. it allows me to indent the code perfectly in the right nested places. i hate inline php/html mixes. > or, as i said, use a template system. a good presentation layer is always a good idea

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email