[SOLVED] search form shows all records

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

[SOLVED] search form shows all records

Post by sirTemplar »

i would like to have a search form for my books catalogue. i have this on my form

Code: Select all

 
<form method="post" action="search.php">
<font size="2" color="#FFFFFF">Book Title:</font></b><font color="#FFFFFF"><b>&nbsp;&nbsp;&nbsp;&nbsp;
    </b>
  <input name="Title" size="50" maxlength="50" style="font-weight: 700"></font></font></p>
    <p style="margin-top: 5; margin-bottom: 0">&nbsp;</p>
    <p style="margin-top: 5; margin-bottom: 0"><font face="Verdana">
    <b>
  <font size="2" color="#FFFFFF">Book Author:</font></b><font color="#FFFFFF">
  <input type="text" name="Author" size="50" maxlength="50"></font></font></p>
    <p><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset" name="B2"></p>
</form>
 
the action, search.php contains:

Code: Select all

 
if ($Author == "")  
{$Author = '%';}  
 
if ($Title == "")  
{$Title = '%';} 
 
if ($Language == "")  
{$Language = '%';}  
 
if ($KeyWord == "")  
{$KeyWord = '%';} 
 
if ($CatNum == "")  
{$CatNum = '%';}  
 
 
$result = mysql_query ("SELECT * FROM catalogue  
                                  WHERE Title LIKE '%$Title%'
                                  WHERE Author LIKE '%$Author%'
                                  ORDER BY Title ASC, Author
                       ",$conn);  
 
$totalrows = mysql_num_rows($result);
 
if ($row = mysql_fetch_array($result)) {  
 
do {  
    echo "<table bgcolor=#35669A border=0 cellpadding=2 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=100%> 
    <tr><td align=left width=88% valign=top><b><font face=Verdana size=2 color=#0000FF></font></b></td> 
    <td bgcolor=#FFFFFF align=right width=12% valign=top><b>
    <font face=Verdana size=1 color=#008000>code:</font></b> 
    <font face=Verdana size=1 color=#111111>{$row['CatNum']}
    </td></font></table>";
 
 
    echo "<table bgcolor=#FFFEEF border=0 cellpadding=2 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=674>";
    echo "<tr><td bgcolor=#E1FFFF align=left valign=top width=571><b>
    <font face=Verdana size=2 color=#800000><b>{$row['Title']},</b></font></td>";
     echo "<tr><td align=left width=410 valign=top>
     <font face=Verdana size=1 color=#0000FF><b>Author</b>
     <font face=Verdana size=2 color=#000000>{$row['Author']} <b></font></td></tr></table>";
 
 
} while($row = mysql_fetch_array($result)); 
} else {print "Sorry, no records were found!";}   
?>
 
</td>
      </tr>
    </table>
    </td>
 
  </tr>
 
</table>
<?
echo "<table bgcolor=#FFFEEF border=0 cellpadding=1 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=100%> 
<td align=left width=70% valign=top><font face=Verdana size=2 color=#FF0000><b>$totalrows</b></font><font face=Verdana size=2 color=#800000> record(s) found !</font></b></td></table>"; 
?>
 
but when i do a word search on the input button of the form, the result prints all the data on the database not only the one i searched. any help please.
Last edited by sirTemplar on Tue Sep 09, 2008 2:19 pm, edited 1 time in total.
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: search form shows all records

Post by aceconcepts »

You're not retrieving the $_POST variables.

i.e.

You should be setting your variables like this:

Code: Select all

 
$Author=$_POST['Author'];
 
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: search form shows all records

Post by RobertGonzalez »

Think register_globals. Now think that yours are off. And for good cause too.

Access form post data in the $_POST array. Validate the data to make sure no one is passing bad data to your app. Escape data that is going to hit your database. Always.
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

Re: search form shows all records

Post by sirTemplar »

thanks for the replies. adding $_POST worked. Thanks for the tip Everah, but can you elaborate more the best way to validate? for example now when i hit the search button without putting something, i still get printed all data from the database. how do i avoid this?
What do you mean "Escape data that is going to hit your database"? thanks.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: search form shows all records

Post by RobertGonzalez »

I'd suggest doing some research on XSS, CSRF, etc.

Also, grab a copy of Davey Shafik's Filtering and Escaping cheat sheet and read the article associated with it.

In short, never take input passed by the user as clean data. Always check it, make sure it is of the appropriate type of data for the task at hand then escape it before it hits your database.
kryles
Forum Contributor
Posts: 114
Joined: Fri Feb 01, 2008 7:52 am

Re: search form shows all records

Post by kryles »

http://ca.php.net/mysql_real_escape_string

Code: Select all

 
 
$author = $_POST['author'];
 
if(trim($author) != '')
{
$query = "SELECT books FROM booktbl WHERE author = '".mysql_real_escape_string(strip_tags(trim($author)))."'";
}
 
 
this is a simplified way I do it usually.
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

Re: search form shows all records

Post by sirTemplar »

i did this

Code: Select all

 
$result = mysql_query ("SELECT * FROM catalogue 
                        WHERE Author LIKE mysql_real_escape_string(strip_tags(trim($Author)))
                        ORDER BY Title ASC, Author
                       ",$conn);  
 
$totalrows = mysql_num_rows($result);
 
if ($row = mysql_fetch_array($result)) {  
 
the last 2 lines are lines 73 and 75. but i get this now.
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in

lines 73 & 75
User avatar
aceconcepts
DevNet Resident
Posts: 1424
Joined: Mon Feb 06, 2006 11:26 am
Location: London

Re: search form shows all records

Post by aceconcepts »

It's probably more straightforward for you to deal with the variable if you escape it prior to the query.

e.g.

Code: Select all

 
$strAuthor=mysql_real_escape_string(strip_tags(trim($Author)));
 
$result = mysql_query ("SELECT * FROM catalogue
                        WHERE Author LIKE '%$strAuthor%'
                        ORDER BY Title ASC, Author
                       ",$conn);  
 
kryles
Forum Contributor
Posts: 114
Joined: Fri Feb 01, 2008 7:52 am

Re: search form shows all records

Post by kryles »

Code: Select all

 
$result = mysql_query ("SELECT * FROM catalogue 
                        WHERE Author LIKE ".mysql_real_escape_string(strip_tags(trim($Author)))."                        ORDER BY Title ASC, Author
                       ",$conn);  
 
you just forgot to use the . operator before using the PHP functions
Last edited by kryles on Wed Apr 30, 2008 8:00 am, edited 1 time in total.
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

Re: search form shows all records

Post by sirTemplar »

it seems the search script is "safer" than the original but then my main problem remains... that is.... when i click the search button without putting anything on AUTHOR or TITLE on the search form, it still prints (output) all the data on the database! what i really want is for the user to type something on the search form or else they get a message "no search phrase entered". i still am lost in validation. thanks
kryles
Forum Contributor
Posts: 114
Joined: Fri Feb 01, 2008 7:52 am

Re: search form shows all records

Post by kryles »

Code: Select all

 
 
if($_POST['author'] == "" || $_POST['title'] == "")
{
print "An error has occured. Author and Title require input";
 
}
else
{
//query and everything else here
}
 
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

Re: search form shows all records

Post by sirTemplar »

still prints all :(
kryles
Forum Contributor
Posts: 114
Joined: Fri Feb 01, 2008 7:52 am

Re: search form shows all records

Post by kryles »

did you just copy what I wrote or actually change it to fit your needs? I just noticed you spelled it Author and I used author. Same for title, you used Title and I used title.

so it should have been

Code: Select all

 
if($_POST['Author'] == "" || $_POST['Title'] == "")
{
print "An error has occured. Author and Title require input";
 
}
else
{
//query and everything else here
}
 
/* Leave these out until you figure the first part 
 if ($Language == "")  
 {$Language = '%';}  
  
 if ($KeyWord == "")  
 {$KeyWord = '%';}
 
if ($CatNum == "")  
 {$CatNum = '%';}  
*/
 
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: search form shows all records

Post by RobertGonzalez »

Write your code to match this logic:
IF the form is posted
IF the author field or the title field is NOT EMPTY
QUERY the database
ELSE
PRINT an error message
END IF
END IF

PRINT the form
sirTemplar
Forum Commoner
Posts: 65
Joined: Wed Dec 18, 2002 1:57 am

Re: search form shows all records

Post by sirTemplar »

this is how my code looks:

Code: Select all

 
{$Author = $_POST['Author'];}  
$strAuthor=mysql_real_escape_string(strip_tags(trim($Author)));
 
{$Title = $_POST['Title'];}  
$strTitle=mysql_real_escape_string(strip_tags(trim($Title))); 
 
if($_POST['$strAuthor'] == "" || $_POST['$strTitle'] == "")
{
print "An error has occured. Author and Title require input";
  
} 
 
$result = mysql_query ("SELECT * FROM catalogue
                       WHERE Author LIKE '%$strAuthor%'
                       AND Title LIKE '%$strTitle%'
                       ORDER BY Title ASC, Author
                      ",$conn);  
 
$totalrows = mysql_num_rows($result);
 
if ($row = mysql_fetch_array($result)) {  
 
do {  
    echo "<table border=0 cellspacing=0 cellpadding=1 width=100% bgcolor=#C0C0C0>
            <tr>
                <td width=100% bgcolor=#cdd8e0>
                <font face=Verdana size=2  color=#000000>NUMBER:</font>
                <b><font face=Verdana size=2  color=#800000>{$row['CatNum']}</font></b>
                </td>
            </tr>
    
    
 
                <td><b><font face=Verdana size=2 color=#800000>BOOK TITLE: {$row['Title']}
                </font></b></td>
            </tr></table>";
 
                     if (isset($row["Author"]) && strcasecmp($row["Author"],"")) 
    echo "<table border=0 cellspacing=0 cellpadding=1 width=100% bgcolor=#C0C0C0>
 
                     <tr>
                <td><b><font face=Verdana size=2 color=#800000>AUTHOR: {$row['Author']}
                </font></b></td>
            </tr>
        </table>";
 
 
  echo ("<p>");  
  echo ("<p>");
 
} while($row = mysql_fetch_array($result)); 
} else {print "Sorry, no records were found!";}   
?>
 
 
it now searches and give results but printing also "An error has occured. Author and Title require input" and if the search is blank still prints all. this is just a code recycles. i need more to understand all.
Post Reply