PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
if ($Author == "")
{$Author = '%';}
if ($Title == "")
{$Title = '%';}
if ($Language == "")
{$Language = '%';}
if ($KeyWord == "")
{$KeyWord = '%';}
if ($CatNum == "")
{$CatNum = '%';}
$result = mysql_query ("SELECT * FROM catalogue
WHERE Title LIKE '%$Title%'
WHERE Author LIKE '%$Author%'
ORDER BY Title ASC, Author
",$conn);
$totalrows = mysql_num_rows($result);
if ($row = mysql_fetch_array($result)) {
do {
echo "<table bgcolor=#35669A border=0 cellpadding=2 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=100%>
<tr><td align=left width=88% valign=top><b><font face=Verdana size=2 color=#0000FF></font></b></td>
<td bgcolor=#FFFFFF align=right width=12% valign=top><b>
<font face=Verdana size=1 color=#008000>code:</font></b>
<font face=Verdana size=1 color=#111111>{$row['CatNum']}
</td></font></table>";
echo "<table bgcolor=#FFFEEF border=0 cellpadding=2 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=674>";
echo "<tr><td bgcolor=#E1FFFF align=left valign=top width=571><b>
<font face=Verdana size=2 color=#800000><b>{$row['Title']},</b></font></td>";
echo "<tr><td align=left width=410 valign=top>
<font face=Verdana size=1 color=#0000FF><b>Author</b>
<font face=Verdana size=2 color=#000000>{$row['Author']} <b></font></td></tr></table>";
} while($row = mysql_fetch_array($result));
} else {print "Sorry, no records were found!";}
?>
</td>
</tr>
</table>
</td>
</tr>
</table>
<?
echo "<table bgcolor=#FFFEEF border=0 cellpadding=1 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=100%>
<td align=left width=70% valign=top><font face=Verdana size=2 color=#FF0000><b>$totalrows</b></font><font face=Verdana size=2 color=#800000> record(s) found !</font></b></td></table>";
?>
but when i do a word search on the input button of the form, the result prints all the data on the database not only the one i searched. any help please.
Last edited by sirTemplar on Tue Sep 09, 2008 2:19 pm, edited 1 time in total.
Think register_globals. Now think that yours are off. And for good cause too.
Access form post data in the $_POST array. Validate the data to make sure no one is passing bad data to your app. Escape data that is going to hit your database. Always.
thanks for the replies. adding $_POST worked. Thanks for the tip Everah, but can you elaborate more the best way to validate? for example now when i hit the search button without putting something, i still get printed all data from the database. how do i avoid this?
What do you mean "Escape data that is going to hit your database"? thanks.
In short, never take input passed by the user as clean data. Always check it, make sure it is of the appropriate type of data for the task at hand then escape it before it hits your database.
$result = mysql_query ("SELECT * FROM catalogue
WHERE Author LIKE mysql_real_escape_string(strip_tags(trim($Author)))
ORDER BY Title ASC, Author
",$conn);
$totalrows = mysql_num_rows($result);
if ($row = mysql_fetch_array($result)) {
the last 2 lines are lines 73 and 75. but i get this now.
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in
$strAuthor=mysql_real_escape_string(strip_tags(trim($Author)));
$result = mysql_query ("SELECT * FROM catalogue
WHERE Author LIKE '%$strAuthor%'
ORDER BY Title ASC, Author
",$conn);
$result = mysql_query ("SELECT * FROM catalogue
WHERE Author LIKE ".mysql_real_escape_string(strip_tags(trim($Author)))." ORDER BY Title ASC, Author
",$conn);
you just forgot to use the . operator before using the PHP functions
Last edited by kryles on Wed Apr 30, 2008 8:00 am, edited 1 time in total.
it seems the search script is "safer" than the original but then my main problem remains... that is.... when i click the search button without putting anything on AUTHOR or TITLE on the search form, it still prints (output) all the data on the database! what i really want is for the user to type something on the search form or else they get a message "no search phrase entered". i still am lost in validation. thanks
did you just copy what I wrote or actually change it to fit your needs? I just noticed you spelled it Author and I used author. Same for title, you used Title and I used title.
if($_POST['Author'] == "" || $_POST['Title'] == "")
{
print "An error has occured. Author and Title require input";
}
else
{
//query and everything else here
}
/* Leave these out until you figure the first part
if ($Language == "")
{$Language = '%';}
if ($KeyWord == "")
{$KeyWord = '%';}
if ($CatNum == "")
{$CatNum = '%';}
*/
Write your code to match this logic:
IF the form is posted
IF the author field or the title field is NOT EMPTY
QUERY the database
ELSE
PRINT an error message
END IF
END IF
{$Author = $_POST['Author'];}
$strAuthor=mysql_real_escape_string(strip_tags(trim($Author)));
{$Title = $_POST['Title'];}
$strTitle=mysql_real_escape_string(strip_tags(trim($Title)));
if($_POST['$strAuthor'] == "" || $_POST['$strTitle'] == "")
{
print "An error has occured. Author and Title require input";
}
$result = mysql_query ("SELECT * FROM catalogue
WHERE Author LIKE '%$strAuthor%'
AND Title LIKE '%$strTitle%'
ORDER BY Title ASC, Author
",$conn);
$totalrows = mysql_num_rows($result);
if ($row = mysql_fetch_array($result)) {
do {
echo "<table border=0 cellspacing=0 cellpadding=1 width=100% bgcolor=#C0C0C0>
<tr>
<td width=100% bgcolor=#cdd8e0>
<font face=Verdana size=2 color=#000000>NUMBER:</font>
<b><font face=Verdana size=2 color=#800000>{$row['CatNum']}</font></b>
</td>
</tr>
<td><b><font face=Verdana size=2 color=#800000>BOOK TITLE: {$row['Title']}
</font></b></td>
</tr></table>";
if (isset($row["Author"]) && strcasecmp($row["Author"],""))
echo "<table border=0 cellspacing=0 cellpadding=1 width=100% bgcolor=#C0C0C0>
<tr>
<td><b><font face=Verdana size=2 color=#800000>AUTHOR: {$row['Author']}
</font></b></td>
</tr>
</table>";
echo ("<p>");
echo ("<p>");
} while($row = mysql_fetch_array($result));
} else {print "Sorry, no records were found!";}
?>
it now searches and give results but printing also "An error has occured. Author and Title require input" and if the search is blank still prints all. this is just a code recycles. i need more to understand all.