Page 1 of 2
[SOLVED] My form has errors - any suggestions??
Posted: Tue Aug 23, 2005 8:59 am
by sleazyfrank
Hi all - trial by php fire this - I'm trying to do a simple form that submits to a php page that then conducts a search on my db. For some reason the vars are not being passed across. Any suggestions would be great!
Code: Select all
<FORM method="POST" action="searchCoursesResults.php">
<table width="100%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="2">
<span class="storyBodyText">Course keyword search:</span> <input name="keywordsearch" type="text" id="keywordsearch" size="40">
</td>
</tr>
</table>
searchCourseResults.php =
Code: Select all
//get keywordsearch
$keywordsearch = $_REQUEST['keywordsearch'];
echo 'keywordsearch = '.$keywordsearch . '<br />';
$keywordsearch = filterAlphanumeric($keywordsearch);
$keywordsearch = filterBadWords($keywordsearch);
keywordsearch keeps coming up blank. I've tried _GET and _POST without effect. The rest of the search code then fails because it has nothing to search on. Thoughts and ideas would be great thanks!
frank
Posted: Tue Aug 23, 2005 9:18 am
by neophyte
Stabbing in the dark:
Try var_dump($_POST); on the second page at the top to see what is coming through.
Make sure if you have a if(isset($_POST['submit'])) type statement make sure the field is named submit.
These kinds of problems are almost always name/label problems, double check everything.
Good luck
Posted: Tue Aug 23, 2005 9:56 am
by sleazyfrank
Many thanks - my data is now passing through from my form; this function was removing my search term:
Code: Select all
function filterBadWords($string){
return preg_replace("/drop|insert|delete|;/", "", $string);
}
$keywordsearch = filterBadWords($keywordsearch);
I've commented this out for now and things are working again.
Now I get an error with my returned dataset - I think there is something wrong with it.
This is the output:
keywordsearch = unix
unix query = SELECT * FROM coursesUnixLinux WHERE CourseTitle LIKE unix
result_unix =
Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in /files/home1/snt00/searchCoursesResults.php on line 350
and my code:
Code: Select all
$query_unix = "SELECT * FROM coursesUnixLinux WHERE CourseTitle LIKE " . $keywordsearch;
$result_unix;
//connect to database
mysql_connect($host,$username,$password);
@mysql_select_db($database) or die("Unable to select database");
//get results
$result_unix = mysql_query($query_unix);
//debug
echo "result_unix = " . $result_unix;
//close the db
mysql_close();
$num_unix=mysql_numrows($result_unix); // errors on this line
...
Any thoughts or ideas would be great thanks!
frank
Posted: Tue Aug 23, 2005 9:58 am
by feyd
strings must be quoted for mysql to be able to understand them.
Posted: Tue Aug 23, 2005 11:15 am
by sleazyfrank
Hi - okay had a bit of a rewrite and came up with
Code: Select all
$query_unix = 'SELECT * FROM coursesUnixLinux WHERE CourseTitle LIKE "%' . $keywordsearch . '%"';
Now when I do a search on 'unix' or 'Unix' or even 'UNIX' and I echo out the number of records returned that match - I get num_unix = null. Therefore obviously no matches are being made. Except there are records in the db which have Unix in the CourseTitle. So what gives?
cheers for help so far
frank
Posted: Tue Aug 23, 2005 2:46 pm
by feyd
are you still running mysql_close() before that mysql_num_rows() ?
Posted: Thu Aug 25, 2005 3:59 am
by sleazyfrank
Ummm....yes?
Posted: Thu Aug 25, 2005 4:03 am
by JayBird
sleazyfrank wrote:Ummm....yes?
Well, thats your problem...if you close the connection before you finished using it, mysql_num_rows aint gonna work...thnk about it

Posted: Thu Aug 25, 2005 4:24 am
by sleazyfrank
Hi - okay, I've moved
right to the end of the of the php code, therefore keeping the db open until the last minute. Perhaps not efficient, but for now it ensures my db is open until I have completely finished with it.
I am still getting:
Search Courses - Results
keywordsearch = unix
unix query = SELECT * FROM coursesUnixLinux WHERE CourseTitle LIKE "unix"
result_unix = Resource id #2
Matching courses: num_unix = null
I assume my query is correct. I can see my keyword is being passed from my form okay; I don't understand what Resource id #2 means though.
thanks
frank
Posted: Thu Aug 25, 2005 4:27 am
by JayBird
Resource id #2 is just the identifier for the query you have just run
Posted: Thu Aug 25, 2005 4:47 am
by sleazyfrank
Hi - hmmmm; okay in pseudo-code, this is what I am doing:
Setup DB vars
Create anti-sql injection functions
_REQUEST keywordsearch var
echo out keywordsearch
run keywordsearch through anti-sql injection function
build query_unix
echo out query_unix
create $result_unix var
connect to db using mysql_connect
get results using $result_unix = mysql_query($query_unix);
echo out result_unix
create $num_unix=mysql_numrows($result_unix);
echo out a table plus initial TR with TD containing headers
if statement - if($num_unix != null){
start a while loop getting fields out of the result and echoing them into the next table row
}
if statement - if($num_unix == null){
echo "num_unix = null";
}
so $num_unix is always coming out null for some reason. Previous experience in using these statements hasn't done this; this is the first time - the only difference between this and previous code is that I am supplying a search term for the query, ie the keywordsearch.
thanks
frank
Posted: Thu Aug 25, 2005 4:52 am
by JayBird
To get the reult of the query you need the following
Code: Select all
$result_unix = mysql_query($query_unix);
$result = mysql_fetch_array($result, MYSQL_ASSOC);
//debug
echo "result_unix = " . $result['the_db_field you want to return'];
also, FYI, it is
mysql_num_rows not mysql_numrows
Posted: Thu Aug 25, 2005 5:07 am
by sleazyfrank
Ok, thanks for your help on this btw. I inserted your debug echo and result_unix now = nothing. PHP errored on
$result = mysql_fetch_array($result, MYSQL_ASSOC);
so I changed it to
$result = mysql_fetch_array($result_unix, MYSQL_ASSOC);
The echo is echo "result_unix = " . $result[CourseTitle]. "<br />";
Thanks for the heads up on mysql_num_rows - DW now highlights it in blue - d'oh.
frank
SQL query...
Posted: Thu Aug 25, 2005 8:13 am
by sleazyfrank
Hi all - which of these two queries has the correct syntax?
$query_unix = "SELECT * FROM coursesUnixLinux WHERE CourseTitle LIKE '%" . $keywordsearch . "%'";
$query_unix = 'SELECT * FROM coursesUnixLinux WHERE CourseTitle LIKE "%' . $keywordsearch . '%"';
And why, when I echo out this query, does it keep coming out as
unix query = SELECT * FROM coursesUnixLinux WHERE CourseTitle LIKE '%unix%'
thanks
frank
Posted: Thu Aug 25, 2005 8:24 am
by Sander
The first one is the correct query.
It comes out like that because the variable $keywordsearch contains 'unix'.