Page 1 of 2

[SOLVED] search form shows all records

Posted: Sat Apr 26, 2008 5:31 am
by sirTemplar
i would like to have a search form for my books catalogue. i have this on my form

Code: Select all

 
<form method="post" action="search.php">
<font size="2" color="#FFFFFF">Book Title:</font></b><font color="#FFFFFF"><b>&nbsp;&nbsp;&nbsp;&nbsp;
    </b>
  <input name="Title" size="50" maxlength="50" style="font-weight: 700"></font></font></p>
    <p style="margin-top: 5; margin-bottom: 0">&nbsp;</p>
    <p style="margin-top: 5; margin-bottom: 0"><font face="Verdana">
    <b>
  <font size="2" color="#FFFFFF">Book Author:</font></b><font color="#FFFFFF">
  <input type="text" name="Author" size="50" maxlength="50"></font></font></p>
    <p><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset" name="B2"></p>
</form>
 
the action, search.php contains:

Code: Select all

 
if ($Author == "")  
{$Author = '%';}  
 
if ($Title == "")  
{$Title = '%';} 
 
if ($Language == "")  
{$Language = '%';}  
 
if ($KeyWord == "")  
{$KeyWord = '%';} 
 
if ($CatNum == "")  
{$CatNum = '%';}  
 
 
$result = mysql_query ("SELECT * FROM catalogue  
                                  WHERE Title LIKE '%$Title%'
                                  WHERE Author LIKE '%$Author%'
                                  ORDER BY Title ASC, Author
                       ",$conn);  
 
$totalrows = mysql_num_rows($result);
 
if ($row = mysql_fetch_array($result)) {  
 
do {  
    echo "<table bgcolor=#35669A border=0 cellpadding=2 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=100%> 
    <tr><td align=left width=88% valign=top><b><font face=Verdana size=2 color=#0000FF></font></b></td> 
    <td bgcolor=#FFFFFF align=right width=12% valign=top><b>
    <font face=Verdana size=1 color=#008000>code:</font></b> 
    <font face=Verdana size=1 color=#111111>{$row['CatNum']}
    </td></font></table>";
 
 
    echo "<table bgcolor=#FFFEEF border=0 cellpadding=2 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=674>";
    echo "<tr><td bgcolor=#E1FFFF align=left valign=top width=571><b>
    <font face=Verdana size=2 color=#800000><b>{$row['Title']},</b></font></td>";
     echo "<tr><td align=left width=410 valign=top>
     <font face=Verdana size=1 color=#0000FF><b>Author</b>
     <font face=Verdana size=2 color=#000000>{$row['Author']} <b></font></td></tr></table>";
 
 
} while($row = mysql_fetch_array($result)); 
} else {print "Sorry, no records were found!";}   
?>
 
</td>
      </tr>
    </table>
    </td>
 
  </tr>
 
</table>
<?
echo "<table bgcolor=#FFFEEF border=0 cellpadding=1 cellspacing=0 style=border-collapse: collapse bordercolor=#111111 width=100%> 
<td align=left width=70% valign=top><font face=Verdana size=2 color=#FF0000><b>$totalrows</b></font><font face=Verdana size=2 color=#800000> record(s) found !</font></b></td></table>"; 
?>
 
but when i do a word search on the input button of the form, the result prints all the data on the database not only the one i searched. any help please.

Re: search form shows all records

Posted: Sat Apr 26, 2008 7:18 am
by aceconcepts
You're not retrieving the $_POST variables.

i.e.

You should be setting your variables like this:

Code: Select all

 
$Author=$_POST['Author'];
 

Re: search form shows all records

Posted: Sat Apr 26, 2008 11:45 am
by RobertGonzalez
Think register_globals. Now think that yours are off. And for good cause too.

Access form post data in the $_POST array. Validate the data to make sure no one is passing bad data to your app. Escape data that is going to hit your database. Always.

Re: search form shows all records

Posted: Mon Apr 28, 2008 7:41 am
by sirTemplar
thanks for the replies. adding $_POST worked. Thanks for the tip Everah, but can you elaborate more the best way to validate? for example now when i hit the search button without putting something, i still get printed all data from the database. how do i avoid this?
What do you mean "Escape data that is going to hit your database"? thanks.

Re: search form shows all records

Posted: Mon Apr 28, 2008 11:00 am
by RobertGonzalez
I'd suggest doing some research on XSS, CSRF, etc.

Also, grab a copy of Davey Shafik's Filtering and Escaping cheat sheet and read the article associated with it.

In short, never take input passed by the user as clean data. Always check it, make sure it is of the appropriate type of data for the task at hand then escape it before it hits your database.

Re: search form shows all records

Posted: Mon Apr 28, 2008 11:10 am
by kryles
http://ca.php.net/mysql_real_escape_string

Code: Select all

 
 
$author = $_POST['author'];
 
if(trim($author) != '')
{
$query = "SELECT books FROM booktbl WHERE author = '".mysql_real_escape_string(strip_tags(trim($author)))."'";
}
 
 
this is a simplified way I do it usually.

Re: search form shows all records

Posted: Wed Apr 30, 2008 2:10 am
by sirTemplar
i did this

Code: Select all

 
$result = mysql_query ("SELECT * FROM catalogue 
                        WHERE Author LIKE mysql_real_escape_string(strip_tags(trim($Author)))
                        ORDER BY Title ASC, Author
                       ",$conn);  
 
$totalrows = mysql_num_rows($result);
 
if ($row = mysql_fetch_array($result)) {  
 
the last 2 lines are lines 73 and 75. but i get this now.
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in

lines 73 & 75

Re: search form shows all records

Posted: Wed Apr 30, 2008 3:25 am
by aceconcepts
It's probably more straightforward for you to deal with the variable if you escape it prior to the query.

e.g.

Code: Select all

 
$strAuthor=mysql_real_escape_string(strip_tags(trim($Author)));
 
$result = mysql_query ("SELECT * FROM catalogue
                        WHERE Author LIKE '%$strAuthor%'
                        ORDER BY Title ASC, Author
                       ",$conn);  
 

Re: search form shows all records

Posted: Wed Apr 30, 2008 6:01 am
by kryles

Code: Select all

 
$result = mysql_query ("SELECT * FROM catalogue 
                        WHERE Author LIKE ".mysql_real_escape_string(strip_tags(trim($Author)))."                        ORDER BY Title ASC, Author
                       ",$conn);  
 
you just forgot to use the . operator before using the PHP functions

Re: search form shows all records

Posted: Wed Apr 30, 2008 7:37 am
by sirTemplar
it seems the search script is "safer" than the original but then my main problem remains... that is.... when i click the search button without putting anything on AUTHOR or TITLE on the search form, it still prints (output) all the data on the database! what i really want is for the user to type something on the search form or else they get a message "no search phrase entered". i still am lost in validation. thanks

Re: search form shows all records

Posted: Wed Apr 30, 2008 8:02 am
by kryles

Code: Select all

 
 
if($_POST['author'] == "" || $_POST['title'] == "")
{
print "An error has occured. Author and Title require input";
 
}
else
{
//query and everything else here
}
 

Re: search form shows all records

Posted: Wed Apr 30, 2008 9:05 am
by sirTemplar
still prints all :(

Re: search form shows all records

Posted: Wed Apr 30, 2008 9:27 am
by kryles
did you just copy what I wrote or actually change it to fit your needs? I just noticed you spelled it Author and I used author. Same for title, you used Title and I used title.

so it should have been

Code: Select all

 
if($_POST['Author'] == "" || $_POST['Title'] == "")
{
print "An error has occured. Author and Title require input";
 
}
else
{
//query and everything else here
}
 
/* Leave these out until you figure the first part 
 if ($Language == "")  
 {$Language = '%';}  
  
 if ($KeyWord == "")  
 {$KeyWord = '%';}
 
if ($CatNum == "")  
 {$CatNum = '%';}  
*/
 

Re: search form shows all records

Posted: Wed Apr 30, 2008 11:20 am
by RobertGonzalez
Write your code to match this logic:
IF the form is posted
IF the author field or the title field is NOT EMPTY
QUERY the database
ELSE
PRINT an error message
END IF
END IF

PRINT the form

Re: search form shows all records

Posted: Sat May 03, 2008 2:45 am
by sirTemplar
this is how my code looks:

Code: Select all

 
{$Author = $_POST['Author'];}  
$strAuthor=mysql_real_escape_string(strip_tags(trim($Author)));
 
{$Title = $_POST['Title'];}  
$strTitle=mysql_real_escape_string(strip_tags(trim($Title))); 
 
if($_POST['$strAuthor'] == "" || $_POST['$strTitle'] == "")
{
print "An error has occured. Author and Title require input";
  
} 
 
$result = mysql_query ("SELECT * FROM catalogue
                       WHERE Author LIKE '%$strAuthor%'
                       AND Title LIKE '%$strTitle%'
                       ORDER BY Title ASC, Author
                      ",$conn);  
 
$totalrows = mysql_num_rows($result);
 
if ($row = mysql_fetch_array($result)) {  
 
do {  
    echo "<table border=0 cellspacing=0 cellpadding=1 width=100% bgcolor=#C0C0C0>
            <tr>
                <td width=100% bgcolor=#cdd8e0>
                <font face=Verdana size=2  color=#000000>NUMBER:</font>
                <b><font face=Verdana size=2  color=#800000>{$row['CatNum']}</font></b>
                </td>
            </tr>
    
    
 
                <td><b><font face=Verdana size=2 color=#800000>BOOK TITLE: {$row['Title']}
                </font></b></td>
            </tr></table>";
 
                     if (isset($row["Author"]) && strcasecmp($row["Author"],"")) 
    echo "<table border=0 cellspacing=0 cellpadding=1 width=100% bgcolor=#C0C0C0>
 
                     <tr>
                <td><b><font face=Verdana size=2 color=#800000>AUTHOR: {$row['Author']}
                </font></b></td>
            </tr>
        </table>";
 
 
  echo ("<p>");  
  echo ("<p>");
 
} while($row = mysql_fetch_array($result)); 
} else {print "Sorry, no records were found!";}   
?>
 
 
it now searches and give results but printing also "An error has occured. Author and Title require input" and if the search is blank still prints all. this is just a code recycles. i need more to understand all.