PHP query from newbie

Basicilly

Hi,

i am putting together a basic website but am having trouble getting my form to search the database i have. As far as i can tell the code <?=$PHP_SELF?> does not seem to be looking at the search php script further down as when i carry out the search i get the screen in the attached doc1. As i am a newby to this i may be completely wrong but would much appreciate some help.

Cheers:o

TouchingVirus

Basicilly wrote: »

Hi,

i am putting together a basic website but am having trouble getting my form to search the database i have. As far as i can tell the code <?=$PHP_SELF?> does not seem to be looking at the search php script further down as when i carry out the search i get the screen in the attached doc1. As i am a newby to this i may be completely wrong but would much appreciate some help.

Cheers:o

Most people don't trust word documents, they are easy to spread internet worms and stuff. Instead I suggest you paste your code to this site using [code] tags.

Code Tags [code] ....code here [/code]. If you've got PHP code you can use [PHP] tags, just like the [code] ones.

[php]<?php echo "Hello World"; ?>[/php]


PHP_SELF is not a valid PHP variable. It is an element of the $_SERVER global variable. So instead of $PHP_SELF, use $_SERVER

Basicilly

Cheers for the info. Here is the code


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
HTML Code


<title>Untitled Document</title>
</head>
<body>
<h2>Search</h2>
<table width 250 height 50;>
<form name="search" method="post" action="<?=$PHP_SELF?>">
Seach for: <input type="text" name="find" /> in
<Select NAME="field">
<Option VALUE="title">Title</option>
<Option VALUE="author">Author</option>
<Option VALUE="publisher">Publisher</option>
</Select>
<input type="hidden" name="searching" value="yes" />
<input type="submit" name="search" value="Search" />
</form>

PHP code

<?php
//This is only displayed if they have submitted the form
if ($searching =="yes")
{
echo "<h2>Results</h2><p>";
//If they did not enter a search term we give them an error
if ($find == "")
{
echo "<p>You forgot to enter a search term";
exit;
}
// Otherwise we connect to our Database
require ('connect.php');
// We preform a bit of filtering
$find = strtoupper($find);
$find = strip_tags($find);
$find = trim ($find);
//Now we search for our search term, in the field the user specified
$data = mysql_query("SELECT * FROM lib1 WHERE upper($field) LIKE'%$find%'");
//And we display the results
while($result = mysql_fetch_array( $data ))
{
echo $result;
echo " ";
echo $result;
echo "<br>";
echo $result;
echo "<br>";
echo "<br>";
}
//This counts the number or results - and if there wasn't any it gives them a little message explaining that
$anymatches=mysql_num_rows($data);
if ($anymatches == 0)
{
echo "Sorry, but we can not find an entry to match your query<br><br>";
}
//And we remind them what they searched for
echo "<b>Searched For:</b> " .$find;
}
?>

TouchingVirus

Basicilly wrote: »

Cheers for the info. Here is the code

Heh, I love that you tried Next time put a [code] before the code, and a [/code] after the code to make it appear in a nice little window

<? is shorthand for <?php ..some servers do not have this enabled so it's best to use <?php all the time if you ask me.

Secondly, as I mentioned above post-edit, $PHP_SELF isn't a valid variable since it's undeclared. PHP_SELF is an element of the $_SERVER array, so $_SERVER will access it.

If you know the name of your page already (e.g. search.php) then why bother to use PHP_SELF?

Basicilly

Oops definately new to this.:)

Cheers!! I seem to be getting a little further as i am not getting the error message when i search but now i am getting nothing (the search page stays open and anything i entered disappears). I have entered the php and the $_Server as below. Do you have any suggestions as to why the search is returning nothing

 
<?php $_SERVER['PHP_SELF']?>
 

TouchingVirus

Here is a simple search page that doesn't search, but does give back to the user whatever they entered into the search box. It should help judging by the code you have above.

<body>
<h2>Search</h2>
<table style="width: 250px; height: 50px;">
<form name="search" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>">
Seach Term <input type="text" name="search_term" />
<input type="hidden" name="searching" value="yes" />
<input type="submit" name="search" value="Search" />
</form>

[php]
<?php
//This is only displayed if they have submitted the form
if ($_POST =="yes")
{
echo "<h2>Results</h2>";

//If they did not enter a search term we give them an error
if(empty($_POST))
{
echo "<p>You forgot to enter a search term</p>";
exit;
}
// Otherwise, just give them back the search term.
else
{
echo "<p>Your search term is :" . $_POST . "</p>";
exit;
}
}
?>[/php]

Liam Byrne

Basicilly wrote: »

Oops definately new to this.:)

Cheers!! I seem to be getting a little further as i am not getting the error message when i search but now i am getting nothing (the search page stays open and anything i entered disappears). I have entered the php and the $_Server as below. Do you have any suggestions as to why the search is returning nothing

 
<?php [b]echo[/b] $_SERVER['PHP_SELF']?>
 

$_SERVER["PHP_SELF"] is just a variable.

Putting the echo before it will cause it to be output to the browser.

e.g.

if the value of $_SERVER["PHP_SELF"] happens to be "search.php", then

action="<?php $_SERVER["PHP_SELF"]; ?>"

will output

action=""

while

action="<?php echo $_SERVER["PHP_SELF"]; ?>"

will output

action="search.php"

seamus

TouchingVirus wrote: »

<? is shorthand for <?php ..some servers do not have this enabled so it's best to use <?php all the time if you ask me.

I always find the short codes to be sloppy, not sure why.

The XML DTD also starts with <? so it's always safest to us the long tags when coding. It also makes your tags eaiser to see in the editor.

Basicilly

Thanks again. This is really great stuff. All seems to be working except the sql request. Not sure what to put in for upper($field) and if LIKE'%$find%' is correct

 
("SELECT * FROM lib1 WHERE upper($field) LIKE '%$find%'"); 
 

Eoin

I'm not great with PHP, but shouldn't that be:

[php]
("SELECT * FROM lib1 WHERE upper(" . $field. ") LIKE '%" . $find . "%'");
[/php]

Presuming that "field" and "find" are PHP variables?

Edit - remember to sanitise the variables - otherwise it's ripe for SQL injection.

TouchingVirus

seamus wrote: »

I always find the short codes to be sloppy, not sure why.

The XML DTD also starts with <? so it's always safest to us the long tags when coding. It also makes your tags eaiser to see in the editor.

Absolutely agree with you. They annoy me so much and to me they appear sloppy and lazy on the part of the coder. Idiosyncrasies and code cleanliness aside, there's nothing as annoying as seeing some server has turned asp style short tags off in their php.ini and it breaks things

OP, $field is the field you wish to search. So if you had a column in the database titled "user" and wanted to search usernames the SQL would be

SELECT * FROM user_table WHERE username LIKE %<term>%.

$_POST holds all data that your form sends to the webserver. It has various elements. Every <input name="myName" tag in your html code will result in a $_POST element being created. So remember to set $find equal to $_POST and $field equal to $_POST. If you don't then $find and $field will be empty, rendering your SQL useless

eoin wrote: »

I'm not great with PHP, but shouldn't that be:

[php]
("SELECT * FROM lib1 WHERE upper(" . $field. ") LIKE '%" . $find . "%'");
[/php]

Presuming that "field" and "find" are PHP variables?

When using double quotes in PHP you can just pop in the $variable and the string parser will greedily grab everything it can to come up with a valid variable name, it'll then expand the variable itself.

[php]
$cake = 'Eclair';
echo "He ate one $cake"; //Produces "He ate one Eclair"
echo "He ate two $cakes"; // Invalid variable, produces "He ate two"
echo "He ate two ${cake}s"; //Produces "He ate two Eclairs"
[/php]

For readability though, I do it your way

Basicilly

that's working now. Really appreciate the help.....

Cheers

;);)

TouchingVirus

Basicilly wrote: »

that's working now. Really appreciate the help.....

Cheers

;);)

Please, Please, Please do make sure you are sanitising all your variables from $_POST.

Make sure there are no foreign characters or misformed queries in there.

For example, if you do no validation/sanitising of your data this can happen

Search Term: search_term%'; DROP TABLE <table>; --

Now your SQL will look like this

SELECT * FROM <table> WHERE <field> LIKE '%search_term%'; DROP TABLE <table>; --%;

This will select data from the table, discard it and will drop (delete) the table that you were searching. It's very bad to not check for SQL Injection (unescaped characters). Assume your user is bad and knows what they are doing, don't assume it won't happen to you

Basicilly

Cheers