Page 1 of 1

Do not execute query upon load of page

Posted: Thu Aug 12, 2010 9:52 am
by emilcarlo
Good evening,

I am currently doing a web application which requires pulling out of data from the database. I am still a novice in the programming industry, and is still seeking help from my colleagues and of course forum sites like phpdn. I have an existing code which my friend provided me. I have already done some modifications with the code. I have a problem though with the code, it executes database query upon loading of the page. I do understand how the code works, however, I am not able to modify the code to disallow the execution of query upon loading of page. Here is the code:

Code: Select all

<?PHP
include("dbconnection.php");

$query = "SELECT * FROM records";

if(isset($_POST["btnSearch"]))

{
		$query .= " WHERE last_name LIKE '%".$_POST["search"]."%' OR first_name LIKE '%".$_POST["search"]."%'OR territory LIKE '%".$_POST["search"]."%'OR job_title LIKE '%".$_POST["search"]."%'OR title LIKE '%".$_POST["search"]."%'OR employer LIKE '%".$_POST["search"]."%' " ;
}

$result = mysql_query($query, $connection) or die(mysql_error());
?>
I do know that this php code, the way it is written, is supposed to do that - to select data from my database (This code was provided by a friend). But my requirement for the project is actually to give it a search engine and display the information based from the search query. I have a search engine already together with the code, and it works pretty well. What I must do is to disallow the pulling of data from the first load, but just pull data if the search engine is used.

Here's the whole code:

Code: Select all

<link href="add_client.css" rel="stylesheet" type="text/css">

<?PHP
include("dbconnection.php");

$query = "SELECT * FROM records";

if(isset($_POST["btnSearch"]))

{
		$query .= " WHERE last_name LIKE '%".$_POST["search"]."%' OR first_name LIKE '%".$_POST["search"]."%'OR territory LIKE '%".$_POST["search"]."%'OR job_title LIKE '%".$_POST["search"]."%'OR title LIKE '%".$_POST["search"]."%'OR employer LIKE '%".$_POST["search"]."%' " ;
}

$result = mysql_query($query, $connection) or die(mysql_error());
?>

<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td><table width="760" border="0" cellpadding="0" cellspacing="0">
      <tr>
        <td width="199" align="center" valign="top"><a href="login.html"><img src="asia.gif" alt="" width="152" height="58" border="0" /></a>        <script type="text/javascript" src="menu.js"></script></td>
        <td width="176" align="right" valign="bottom"><a href="main.php"><img src="Home.jpg" width="104" height="20" border="0"/></a></td>
        <td width="130" align="right" valign="bottom"><img src="View.jpg" width="104" height="20" border="0"/></td>
        <td width="146" align="right" valign="bottom"><a href="add_client.php"><img src="Add.jpg" width="104" height="20" border="0"/></a></td>
        <td width="109" align="right" valign="bottom">&nbsp;</td>
        </tr>

    </table></td>
  </tr>
  <tr>
    <td><table width="760" border="0" cellpadding="0" cellspacing="0">
      <tr>
        <td width="200" height="3"  bgcolor="#1B1C78"><img src="images/topspacerblue.gif" alt="" width="1" height="3" /></td>
        <td width="560"  bgcolor="#0076CC"><img src="images/topspacerlblue.gif" alt="" width="1" height="3" /></td>

      </tr>
    </table></td>

  </tr>
  <tr>
    <td height="553" align="center" valign="top" bgcolor="#F3FAFE"><br />

      <form name="form" action="view_client.php" method="post">
      <table width="351" border="0">
          <tr>
            <td width="137" align="left" valign="middle">SEARCH RECORD:</td>
            <td width="144" align="center" valign="middle"><input type="text" name="search" /></td>
            <td width="56" align="left" valign="middle"><input type="submit" name="btnSearch" value="Search" /></td>
          </tr>
        </table>
        <br />
        <table width="680" border="0" cellpadding="3" cellspacing="1" bordercolor="38619E" >
          <tr>
            <th width="100" align="center" bgcolor="#E0E8F3">Territory</th>
            <th width="110" align="center" bgcolor="#E0E8F3">Employer</th>
            <th width="110" align="center" bgcolor="#E0E8F3">Job Title</th>
            <th width="50" align="center" bgcolor="#E0E8F3">Title</th>
            <th width="110" align="center" bgcolor="#E0E8F3">First Name</th>
            <th width="110" align="center" bgcolor="#E0E8F3">Last Name</th>
            <th width="70" align="center" valign="middle" bgcolor="#E0E8F3">&nbsp;</th>
          </tr>
          <?php
  if($result)
  {
	  for($i=0; $i<mysql_num_rows($result); $i++)
	  {
		  $id = trim(mysql_result($result, $i, "id"));
		  $territory = trim(mysql_result($result, $i, "territory"));
		  $employer = trim(mysql_result($result, $i, "employer"));
		  $job_title = trim(mysql_result($result, $i, "job_title"));
		  $title = trim(mysql_result($result, $i, "title"));
		  $first_name = trim(mysql_result($result, $i, "first_name"));
		  $last_name = trim(mysql_result($result, $i, "last_name"));
				  
		  echo "<tr>";
  		  echo "<td>".$territory."</td>";
		  echo "<td>".$employer."</td>";
		  echo "<td>".$job_title."</td>";
		  echo "<td>".$title."</td>";
		  echo "<td>".$first_name."</td>";
		  echo "<td>".$last_name."</td>";
		  echo "<td><a href='admin_edit.php?id=".$id."'>edit</a> | <a href='admin_delete.php?id=".$id."'>del</a> </td>";
		  echo "</tr>";
	  }
  }
  ?>
        </table>
<br />
   </form>
    <p>&nbsp;</p></td>

  </tr>
  <tr>
    <td height="38"><table width="760" border="0" cellpadding="0" cellspacing="0">
      <tr>
        <td width="200" height="35" align="center"  bgcolor="#1B1C78" class=white><img src="images/topspacerblue.gif" alt="" width="1" height="3" />&nbsp;<a href="disclaimer.html"><font color="#FFFFFF">Legal Disclaimer</font></a> </td>

        <td width="560" align="center"  bgcolor="#0076CC"  class=white><img src="images/topspacerlblue.gif" alt="" width="1" height="3" />&nbsp;Copyright &copy; 2006 - 2010 Limited. All rights reserved.
</td>
      </tr>

    </table></td>
  </tr>
</table>


Immediate response is well appreciated. Thank you very much!

Re: Do not execute query upon load of page

Posted: Thu Aug 12, 2010 10:18 am
by Gargoyle

Code: Select all

$result = false;
if(isset($_POST["btnSearch"]))
{
$query .= " WHERE last_name LIKE '%".$_POST["search"]."%' OR first_name LIKE '%".$_POST["search"]."%'OR territory LIKE '%".$_POST["search"]."%'OR job_title LIKE '%".$_POST["search"]."%'OR title LIKE '%".$_POST["search"]."%'OR employer LIKE '%".$_POST["search"]."%' " ;
$result = mysql_query($query, $connection) or die(mysql_error());
}
note that you're having mysql injection vulnerabilities all over the place.

Re: Do not execute query upon load of page

Posted: Thu Aug 12, 2010 10:26 am
by yacahuma
But you are running it.

Code: Select all

$query = "SELECT * FROM records";
$result = mysql_query($query, $connection) or die(mysql_error());
if you want to run only after click on the button, you have to move your query inside the if. right now is outside, so is always executed.

Re: Do not execute query upon load of page

Posted: Thu Aug 12, 2010 10:27 am
by emilcarlo
Hi Gargoyle,

Thank you for your feedback. I am quite new with programming, ahmm can you kindly explain what you said?
Gargoyle wrote:

Code: Select all

$result = false;
if(isset($_POST["btnSearch"]))
{
$query .= " WHERE last_name LIKE '%".$_POST["search"]."%' OR first_name LIKE '%".$_POST["search"]."%'OR territory LIKE '%".$_POST["search"]."%'OR job_title LIKE '%".$_POST["search"]."%'OR title LIKE '%".$_POST["search"]."%'OR employer LIKE '%".$_POST["search"]."%' " ;
$result = mysql_query($query, $connection) or die(mysql_error());
}
note that you're having mysql injection vulnerabilities all over the place.
Hi Yakahuma,

I tried to put it inside, but it game me this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE last_name LIKE '%%' OR first_name LIKE '%%'OR territory LIKE '%%'OR job_ti' at line 1

Re: Do not execute query upon load of page

Posted: Thu Aug 12, 2010 11:34 am
by yacahuma
it is because you divided your query

the query should be

Code: Select all

$query .= "SELECT * FROM records WHERE last_name LIKE '%".$_POST["search"]."%' OR first_name LIKE '%".$_POST["search"]."%'OR territory LIKE '%".$_POST["search"]."%'OR job_title LIKE '%".$_POST["search"]."%'OR title LIKE '%".$_POST["search"]."%'OR employer LIKE '%".$_POST["search"]."%' " ;

Re: Do not execute query upon load of page

Posted: Thu Aug 12, 2010 11:39 am
by emilcarlo
Hello again xD

I tried what you suggested yacahuma, now I get "Query is empty" message.

Re: Do not execute query upon load of page

Posted: Thu Aug 12, 2010 1:46 pm
by yacahuma
do

Code: Select all

$query = '...'

not
$query .= '...'


Re: Do not execute query upon load of page

Posted: Thu Aug 12, 2010 2:46 pm
by emilcarlo
Yup, I did that. The problem has already been solved, but still, thank you for all the help ^^

Here's the solution :)

Code: Select all

include("dbconnection.php");

$query = "SELECT * FROM records";
$result = array();

if(isset($_POST["btnSearch"]))

{
                $query .= " WHERE last_name LIKE '%".$_POST["search"]."%' OR first_name LIKE '%".$_POST["search"]."%'OR territory LIKE '%".$_POST["search"]."%'OR job_title LIKE '%".$_POST["search"]."%'OR title LIKE '%".$_POST["search"]."%'OR employer LIKE '%".$_POST["search"]."%' " ;

$result = mysql_query($query, $connection) or die(mysql_error());

}