simply search script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

simply search script

Post by mhouldridge »

Hi,

I have a search form on my main page which the user can insert some text and then select a table to search in. The problem is, is that the search brings up every record in the database. It worked before I inserted the list menu to choose a table to search in.

Here is the code for the form;

Code: Select all

<form action="search.php" method="post" name="search" id="search" style="display:inline">
            <img src="search.gif" width="11" height="21">
            <input type="text" name="search" size=25 maxlength=25>
            <select name="selection" id="selection">
            <option>asset</option>
            <option>customer</option>
            </select>
<input type="Submit" name="Submit" value="Search">
</form>


and here is the search.php code....

<?
mysql_connect("localhost","giacom-admin","snooker"); 
	
mysql_select_db("audit"); 

$search=$_POST&#1111;"search"];
$selection=$_POST&#1111;"search"];

$result = mysql_query("SELECT * FROM dedicated WHERE '%$selection%' LIKE '%$search%'");

while($r=mysql_fetch_array($result))
&#123;	
  
   $asset=$r&#1111;"asset"];
   $title=$r&#1111;"title"];
   $customer=$r&#1111;"customer"];
   $type=$r&#1111;"type"];
   $IP=$r&#1111;"IP"];
   $os=$r&#1111;"os"];
   
   echo "$asset <br> $title <br> $customer <br> $type <br> $IP <br> $os <br>";
&#125;
?>


PLease help


feyd | please use the formatting we provide
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

your code was written with register_globals assumed on, when they likely aren't, and shouldn't be.

please choose topics to threads wisely. The dashes and "please help" stuff is not how to get us to help faster. We help everyone at the same general speed, if we can. Personally, there is almost nothing that a topic can say that'd make me read it earlier than any other thread.
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Post by mhouldridge »

Sorry about that!

Any ideas about my question?

thanks,
Mark
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

re-read my post.
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Post by mhouldridge »

Sorry, I dont understand your first reply. I am and absolute noob.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$search and $selection are both empty because they do not exist. $_POST['search'] and $_POST['selection'] do, however.

it's very important to sanitize the information coming in from the user, as SQL injection is very possible here.

by the way, your where clause checks a string if it's like another string, not a column reference. You may need to translate the information about $selection when it comes in so that it has the proper name, as I think your code will give the index in most browsers. At any rate, you need to verify that $selection is one of the marks you expect..
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Post by mhouldridge »

Hi,

Ok, I kinda get that. The $search worked before I inserted an extra $selection option.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

...

Post by s.dot »

First off

Change this:

Code: Select all

$search=$_POST&#1111;"search"]; 
$selection=$_POST&#1111;"search"];
To:

Code: Select all

$search=$_POST&#1111;"search"];
$selection = $_POST&#1111;"selection"];
Then your SQL query doesn't include the selection properly. Do this:

Code: Select all

$result = mysql_query("SELECT * FROM dedicated WHERE selection LIKE '%$selection%' AND search LIKE '%$search%'");
I think this should work now. Providing you have the column 'selection' set up in your database.

But, I would do some checks and as feyd said sanitize your information before passing it along to an SQL query.

Do this:

Code: Select all

if(!$_POST&#1111;'selection'])&#123; echo "You did not select your selection"; &#125; // Only use this line if you want to ensure they make a selection
if(!$_POST&#1111;'search'])&#123; echo "You did not submit any search criteria"; &#125; // Only use this line if you want to ensure that they entered search criteria.

// clean up information for safe passing to database

$search = mysql_real_escape_string(strip_tags($_POST&#1111;'search']));
$selection = mysql_real_escape_string(strip_tags($_POST&#1111;'search']));

/* Note, sanitizing the selection field may not be mandatory because it's coming from a select box, but is always encouraged because someone could submit information via the URL.  And only use mysql_real_escape_string if you're using a MySQL database. */
User avatar
mhouldridge
Forum Contributor
Posts: 267
Joined: Wed Jan 26, 2005 5:13 am

Post by mhouldridge »

Hi,

I do not have a column selection within my table. I have had this working with the following;

$result = mysql_query("SELECT * FROM dedicated WHERE customer LIKE '%$search%'");

I just cant get it going with an added selection
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Code: Select all

$result = mysql_query("SELECT * FROM dedicated WHERE customer LIKE '%$search%'");
would be

Code: Select all

$result = mysql_query("SELECT * FROM dedicated WHERE ".$_POST&#1111;'selection']." LIKE '%$search%'");
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

be very careful about using user supplied data in a database query without modification or filtering (sanitizing it)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

for example, have an array of acceptable results.

Code: Select all

$accepted = array('selection1','selection2');

if (!in_array($_POST&#1111;'selection'],$accepted))
    exit('hacking attempt!');
Is a start, you can also look at preg_match to detect any Evil Characters like /, (, ), -, \, , , .

Point being, never trust user input.
Post Reply