search help

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
perfect123
Forum Newbie
Posts: 6
Joined: Wed Jul 15, 2009 12:11 pm

search help

Post by perfect123 »

II'm trying to crack this search box but it doesnt seem to work. When I click search, I just seem to get an empty screen,. It should basically display the results from the search to a text box. Below is my code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
<style type="text/css">
<!--
body,td,th {
font-size: 10px;
}
-->
</style>

<?
$myServer = '**';
$myUser = '****';
$myPass = '****';
$myDB = '****';
$SpecRef = $_POST['query'];
print ("$SpecRef");



//connection to the database
$dbhandle = mssql_connect($myServer, $myUser, $myPass)
or die("Couldn't connect to SQL Server on $myServer");



//select a database to work with
$selected = mssql_select_db($myDB, $dbhandle)
or die("Couldn't open database $myDB");
//error message (not found message)begins
$XX = "No Matches Found";
//query details table begins
$query = ("SELECT * FROM dbo.DesignControl WHERE Spec_Ref LIKE'$SpecRef%' ");
// $query = ("SELECT * FROM dbo.DesignProcess");

print(' is what you searched for:');


//execute the SQL query and return records
$result = mssql_query($query);

$numRows = mssql_num_rows($result);
echo "<h1>" . $numRows . " Record" . ($numRows == 1 ? "" : "s") . " Found </h1>";

//display the results
while($row = mssql_fetch_array($result)){

$SpecRef = $row["Spec_Ref"] . "\n";
$PrePressDate = $row["Pre_Press_Date"] . "\n";
$JobDescription = $row["Job_Description"] . "\n";
$ReproHouseDesignAgency = $row["Repro_House_Design_Agency"] . "\n";
$EndUserFamily = $row["End_User_Family"] . "\n";
$XRef = $row["X_Ref"] . "\n";
$CustRef= $row["Cust_Ref"] . "\n";
}
echo "<form>";
echo "<input type='text' value = '$SpecRef'>" ;
echo "</form>";
echo "<textarea>$PrePressDate</textarea>";
echo "<textarea>$JobDescription</textarea>";
echo "<textarea>$ReproHouseDesignAgency</textarea>";
echo "<textarea>$EndUserFamily</textarea>";
echo "<textarea>$XRef</textarea>";
echo "<textarea>$CustRef</textarea>";
//close the connection
mssql_close($dbhandle);
//display the results
while($row = mssql_fetch_array($result))
{
echo "<li>" . $row["Spec_Ref"] . "</li>";
}
//close the connection
mssql_close($dbhandle);

//textareaContent = "";

//while ($row = @mysql_fetch_array($query))
//{
//$var1=$row["Player"];
//$var2=$row["Avg"];
//$var3=$row["HR"];
//$var4=$row["RBI"];

$textareaContent .= "Spec Ref: $var1 Avg: $var2 HR: $var3 RBI $var4 <br/>";
//}

//if (!isset($var1) || $var1=="") {
//echo $XX;
//}

// begin to show results set
//echo "Results";
$count = 1 + $s ;




$count++ ;




?>
<body>
<form id="form1" name="form1" method="post" action="search.php">
<p>

<label> </label>
Pre Press Date 1 2 3
<span class="searchform">
<td bgcolor="#FFFFCC"><? echo $row['Spec_Ref']; // Show record's ID ?> </td>
<input name="name_<? echo $row['Pre_Press_Date']; ?>" type="text" id="name_<? echo $row['Pre_Press_Date']; ?>" value="<? echo $row['Pre_Press_Date']; ?>" />
</span> Job Description
<label for="textfield2"></label>
<span class="searchform">
<input name="name_<? echo $row['Spec_Ref']; ?>" type="text" id="name_<? echo $row['Job_Description']; ?>" value="<? echo $row['Job_Description']; ?>" />
</span> Spec Ref
<label for="textfield3"></label>
<span class="searchform">
<form action="Pre-press_test.php" method="get">
<input type="text" name="SpecRef" id="SpecRef" size="40" value="" action="Pre-press_test.php" columns="2" autocomplete="off" delay="1500" />
<input type="submit" value="Search">
<input type="hidden" name="search" value="1">
</form>
Repro House/design agency<span class="searchform">
<input name="name_<? echo $row['Spec_Ref']; ?>" type="text" id="name_<? echo $row['Repro_House_Design_Agency']; ?>" value="<? echo $row['Repro_House_Design_Agency']; ?>" />
</span>End User Family
<span class="searchform">
<input name="name_<? echo $row['Spec_Ref']; ?>" type="text" id="name_<? echo $row['End_User_Family']; ?>" value="<? echo $row['End_User_Family']; ?>" />
</span>
<label for="textfield5"></label>

X Ref
<label for="textfield6"></label>
<span class="searchform">
<input name="name_<? echo $row['Spec_Ref']; ?>" type="text" id="name_<? echo $row['X_Ref']; ?>" value="<? echo $row['X_Ref']; ?>" />
</span> Cust Ref:
<label for="textfield7"></label>
<span class="searchform">
<input name="name_<? echo $row['Spec_Ref']; ?> type="text" id="name_<? echo $row['Cust_Ref']; ?>" value="<? echo $row['Cust_Ref']; ?>" />
<input type="submit" name="Submit" value="Update" />
</form>

</p>
<p>New Flash
<input type="checkbox" name="checkbox5" id="checkbox5" />
Promotion
<input type="checkbox" name="checkbox6" id="checkbox6" />
Price Flash
<input type="checkbox" name="checkbox7" id="checkbox7" />
<input name="textfield7" type="text" id="textfield7" size="10" />
</p>
<p>New
<input type="checkbox" name="checkbox" id="checkbox" />
NBOS
<input type="checkbox" name="checkbox2" id="checkbox2" />
NBOR Supercession
<input type="checkbox" name="checkbox3" id="checkbox3" />
QA
<input type="checkbox" name="checkbox4" id="checkbox4" />

<div>
<form action="search.php" method="get">
<input type="text" name="query" id="query" size="40" value="" action="search.php" columns="2" autocomplete="off" delay="1500" />
<input type="submit" value="Search">
<input type="hidden" name="search" value="1">
</form>


</p>

</body>
</html>
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: search help

Post by jackpf »

Please use

Code: Select all

tags when posting...code.

Anyway, have you got errors turned on?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: search help

Post by Mordred »

Go read about SQL injection.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: search help

Post by jackpf »

Could have magic quotes turned on........

But yeah.
Post Reply