Page 1 of 1

simply search script

Posted: Mon Feb 07, 2005 10:51 am
by mhouldridge
Hi,

I have a search form on my main page which the user can insert some text and then select a table to search in. The problem is, is that the search brings up every record in the database. It worked before I inserted the list menu to choose a table to search in.

Here is the code for the form;

Code: Select all

<form action="search.php" method="post" name="search" id="search" style="display:inline">
            <img src="search.gif" width="11" height="21">
            <input type="text" name="search" size=25 maxlength=25>
            <select name="selection" id="selection">
            <option>asset</option>
            <option>customer</option>
            </select>
<input type="Submit" name="Submit" value="Search">
</form>


and here is the search.php code....

<?
mysql_connect("localhost","giacom-admin","snooker"); 
	
mysql_select_db("audit"); 

$search=$_POST&#1111;"search"];
$selection=$_POST&#1111;"search"];

$result = mysql_query("SELECT * FROM dedicated WHERE '%$selection%' LIKE '%$search%'");

while($r=mysql_fetch_array($result))
&#123;	
  
   $asset=$r&#1111;"asset"];
   $title=$r&#1111;"title"];
   $customer=$r&#1111;"customer"];
   $type=$r&#1111;"type"];
   $IP=$r&#1111;"IP"];
   $os=$r&#1111;"os"];
   
   echo "$asset <br> $title <br> $customer <br> $type <br> $IP <br> $os <br>";
&#125;
?>


PLease help


feyd | please use the formatting we provide

Posted: Mon Feb 07, 2005 10:54 am
by feyd
your code was written with register_globals assumed on, when they likely aren't, and shouldn't be.

please choose topics to threads wisely. The dashes and "please help" stuff is not how to get us to help faster. We help everyone at the same general speed, if we can. Personally, there is almost nothing that a topic can say that'd make me read it earlier than any other thread.

Posted: Mon Feb 07, 2005 11:16 am
by mhouldridge
Sorry about that!

Any ideas about my question?

thanks,
Mark

Posted: Mon Feb 07, 2005 11:18 am
by feyd
re-read my post.

Posted: Mon Feb 07, 2005 11:20 am
by mhouldridge
Sorry, I dont understand your first reply. I am and absolute noob.

Posted: Mon Feb 07, 2005 11:35 am
by feyd
$search and $selection are both empty because they do not exist. $_POST['search'] and $_POST['selection'] do, however.

it's very important to sanitize the information coming in from the user, as SQL injection is very possible here.

by the way, your where clause checks a string if it's like another string, not a column reference. You may need to translate the information about $selection when it comes in so that it has the proper name, as I think your code will give the index in most browsers. At any rate, you need to verify that $selection is one of the marks you expect..

Posted: Mon Feb 07, 2005 11:36 am
by mhouldridge
Hi,

Ok, I kinda get that. The $search worked before I inserted an extra $selection option.

...

Posted: Mon Feb 07, 2005 4:34 pm
by s.dot
First off

Change this:

Code: Select all

$search=$_POST&#1111;"search"]; 
$selection=$_POST&#1111;"search"];
To:

Code: Select all

$search=$_POST&#1111;"search"];
$selection = $_POST&#1111;"selection"];
Then your SQL query doesn't include the selection properly. Do this:

Code: Select all

$result = mysql_query("SELECT * FROM dedicated WHERE selection LIKE '%$selection%' AND search LIKE '%$search%'");
I think this should work now. Providing you have the column 'selection' set up in your database.

But, I would do some checks and as feyd said sanitize your information before passing it along to an SQL query.

Do this:

Code: Select all

if(!$_POST&#1111;'selection'])&#123; echo "You did not select your selection"; &#125; // Only use this line if you want to ensure they make a selection
if(!$_POST&#1111;'search'])&#123; echo "You did not submit any search criteria"; &#125; // Only use this line if you want to ensure that they entered search criteria.

// clean up information for safe passing to database

$search = mysql_real_escape_string(strip_tags($_POST&#1111;'search']));
$selection = mysql_real_escape_string(strip_tags($_POST&#1111;'search']));

/* Note, sanitizing the selection field may not be mandatory because it's coming from a select box, but is always encouraged because someone could submit information via the URL.  And only use mysql_real_escape_string if you're using a MySQL database. */

Posted: Tue Feb 08, 2005 4:00 am
by mhouldridge
Hi,

I do not have a column selection within my table. I have had this working with the following;

$result = mysql_query("SELECT * FROM dedicated WHERE customer LIKE '%$search%'");

I just cant get it going with an added selection

Posted: Tue Feb 08, 2005 10:30 am
by s.dot

Code: Select all

$result = mysql_query("SELECT * FROM dedicated WHERE customer LIKE '%$search%'");
would be

Code: Select all

$result = mysql_query("SELECT * FROM dedicated WHERE ".$_POST&#1111;'selection']." LIKE '%$search%'");

Posted: Tue Feb 08, 2005 10:32 am
by feyd
be very careful about using user supplied data in a database query without modification or filtering (sanitizing it)

Posted: Tue Feb 08, 2005 4:08 pm
by John Cartwright
for example, have an array of acceptable results.

Code: Select all

$accepted = array('selection1','selection2');

if (!in_array($_POST&#1111;'selection'],$accepted))
    exit('hacking attempt!');
Is a start, you can also look at preg_match to detect any Evil Characters like /, (, ), -, \, , , .

Point being, never trust user input.