Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

PHP query from newbie

  • 05-01-2010 2:50pm
    #1
    Registered Users, Registered Users 2 Posts: 101 ✭✭


    Hi,

    i am putting together a basic website but am having trouble getting my form to search the database i have. As far as i can tell the code <?=$PHP_SELF?> does not seem to be looking at the search php script further down as when i carry out the search i get the screen in the attached doc1. As i am a newby to this i may be completely wrong but would much appreciate some help.

    Cheers:o


Comments

  • Registered Users, Registered Users 2 Posts: 8,584 ✭✭✭TouchingVirus


    Basicilly wrote: »
    Hi,

    i am putting together a basic website but am having trouble getting my form to search the database i have. As far as i can tell the code <?=$PHP_SELF?> does not seem to be looking at the search php script further down as when i carry out the search i get the screen in the attached doc1. As i am a newby to this i may be completely wrong but would much appreciate some help.

    Cheers:o

    Most people don't trust word documents, they are easy to spread internet worms and stuff. Instead I suggest you paste your code to this site using [code] tags.

    Code Tags [code] ....code here [/code]. If you've got PHP code you can use [PHP] tags, just like the [code] ones.

    [php]<?php echo "Hello World"; ?>[/php]


    PHP_SELF is not a valid PHP variable. It is an element of the $_SERVER global variable. So instead of $PHP_SELF, use $_SERVER


  • Registered Users, Registered Users 2 Posts: 101 ✭✭Basicilly


    Cheers for the info. Here is the code


    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    HTML Code


    <title>Untitled Document</title>
    </head>
    <body>
    <h2>Search</h2>
    <table width 250 height 50;>
    <form name="search" method="post" action="<?=$PHP_SELF?>">
    Seach for: <input type="text" name="find" /> in
    <Select NAME="field">
    <Option VALUE="title">Title</option>
    <Option VALUE="author">Author</option>
    <Option VALUE="publisher">Publisher</option>
    </Select>
    <input type="hidden" name="searching" value="yes" />
    <input type="submit" name="search" value="Search" />
    </form>


    PHP code

    <?php
    //This is only displayed if they have submitted the form
    if ($searching =="yes")
    {
    echo "<h2>Results</h2><p>";
    //If they did not enter a search term we give them an error
    if ($find == "")
    {
    echo "<p>You forgot to enter a search term";
    exit;
    }
    // Otherwise we connect to our Database
    require ('connect.php');
    // We preform a bit of filtering
    $find = strtoupper($find);
    $find = strip_tags($find);
    $find = trim ($find);
    //Now we search for our search term, in the field the user specified
    $data = mysql_query("SELECT * FROM lib1 WHERE upper($field) LIKE'%$find%'");
    //And we display the results
    while($result = mysql_fetch_array( $data ))
    {
    echo $result;
    echo " ";
    echo $result;
    echo "<br>";
    echo $result;
    echo "<br>";
    echo "<br>";
    }
    //This counts the number or results - and if there wasn't any it gives them a little message explaining that
    $anymatches=mysql_num_rows($data);
    if ($anymatches == 0)
    {
    echo "Sorry, but we can not find an entry to match your query<br><br>";
    }
    //And we remind them what they searched for
    echo "<b>Searched For:</b> " .$find;
    }
    ?>


  • Registered Users, Registered Users 2 Posts: 8,584 ✭✭✭TouchingVirus


    Basicilly wrote: »
    Cheers for the info. Here is the code

    Heh, I love that you tried :D Next time put a [code] before the code, and a [/code] after the code to make it appear in a nice little window :D

    <? is shorthand for <?php ..some servers do not have this enabled so it's best to use <?php all the time if you ask me.

    Secondly, as I mentioned above post-edit, $PHP_SELF isn't a valid variable since it's undeclared. PHP_SELF is an element of the $_SERVER array, so $_SERVER will access it.

    If you know the name of your page already (e.g. search.php) then why bother to use PHP_SELF?


  • Registered Users, Registered Users 2 Posts: 101 ✭✭Basicilly


    Oops definately new to this.:)

    Cheers!! I seem to be getting a little further as i am not getting the error message when i search but now i am getting nothing (the search page stays open and anything i entered disappears). I have entered the php and the $_Server as below. Do you have any suggestions as to why the search is returning nothing
     
    <?php $_SERVER['PHP_SELF']?>
     
    


  • Registered Users, Registered Users 2 Posts: 8,584 ✭✭✭TouchingVirus


    Here is a simple search page that doesn't search, but does give back to the user whatever they entered into the search box. It should help judging by the code you have above.
    <body>
    <h2>Search</h2>
    <table style="width: 250px; height: 50px;">
    <form name="search" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>">
    Seach Term <input type="text" name="search_term" />
    <input type="hidden" name="searching" value="yes" />
    <input type="submit" name="search" value="Search" />
    </form>
    

    [php]
    <?php
    //This is only displayed if they have submitted the form
    if ($_POST =="yes")
    {
    echo "<h2>Results</h2>";

    //If they did not enter a search term we give them an error
    if(empty($_POST))
    {
    echo "<p>You forgot to enter a search term</p>";
    exit;
    }
    // Otherwise, just give them back the search term.
    else
    {
    echo "<p>Your search term is :" . $_POST . "</p>";
    exit;
    }
    }
    ?>[/php]


  • Advertisement
  • Closed Accounts Posts: 18,163 ✭✭✭✭Liam Byrne


    Basicilly wrote: »
    Oops definately new to this.:)

    Cheers!! I seem to be getting a little further as i am not getting the error message when i search but now i am getting nothing (the search page stays open and anything i entered disappears). I have entered the php and the $_Server as below. Do you have any suggestions as to why the search is returning nothing
     
    <?php [b]echo[/b] $_SERVER['PHP_SELF']?>
     
    

    $_SERVER["PHP_SELF"] is just a variable.

    Putting the echo before it will cause it to be output to the browser.

    e.g.

    if the value of $_SERVER["PHP_SELF"] happens to be "search.php", then
    action="<?php $_SERVER["PHP_SELF"]; ?>"
    
    will output
    action=""
    

    while
    action="<?php echo $_SERVER["PHP_SELF"]; ?>"
    

    will output
    action="search.php"
    


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    <? is shorthand for <?php ..some servers do not have this enabled so it's best to use <?php all the time if you ask me.
    I always find the short codes to be sloppy, not sure why.

    The XML DTD also starts with <? so it's always safest to us the long tags when coding. It also makes your tags eaiser to see in the editor.


  • Registered Users, Registered Users 2 Posts: 101 ✭✭Basicilly


    Thanks again. This is really great stuff. All seems to be working except the sql request. Not sure what to put in for upper($field) and if LIKE'%$find%' is correct
     
    ("SELECT * FROM lib1 WHERE upper($field) LIKE '%$find%'"); 
     
    


  • Registered Users, Registered Users 2 Posts: 21,263 ✭✭✭✭Eoin


    I'm not great with PHP, but shouldn't that be:

    [php]
    ("SELECT * FROM lib1 WHERE upper(" . $field. ") LIKE '%" . $find . "%'");
    [/php]

    Presuming that "field" and "find" are PHP variables?

    Edit - remember to sanitise the variables - otherwise it's ripe for SQL injection.


  • Registered Users, Registered Users 2 Posts: 8,584 ✭✭✭TouchingVirus


    seamus wrote: »
    I always find the short codes to be sloppy, not sure why.

    The XML DTD also starts with <? so it's always safest to us the long tags when coding. It also makes your tags eaiser to see in the editor.

    Absolutely agree with you. They annoy me so much and to me they appear sloppy and lazy on the part of the coder. Idiosyncrasies and code cleanliness aside, there's nothing as annoying as seeing some server has turned asp style short tags off in their php.ini and it breaks things :D

    OP, $field is the field you wish to search. So if you had a column in the database titled "user" and wanted to search usernames the SQL would be

    SELECT * FROM user_table WHERE username LIKE %<term>%.

    $_POST holds all data that your form sends to the webserver. It has various elements. Every <input name="myName" tag in your html code will result in a $_POST element being created. So remember to set $find equal to $_POST and $field equal to $_POST. If you don't then $find and $field will be empty, rendering your SQL useless ;)
    eoin wrote: »
    I'm not great with PHP, but shouldn't that be:

    [php]
    ("SELECT * FROM lib1 WHERE upper(" . $field. ") LIKE '%" . $find . "%'");
    [/php]

    Presuming that "field" and "find" are PHP variables?

    When using double quotes in PHP you can just pop in the $variable and the string parser will greedily grab everything it can to come up with a valid variable name, it'll then expand the variable itself.

    [php]
    $cake = 'Eclair';
    echo "He ate one $cake"; //Produces "He ate one Eclair"
    echo "He ate two $cakes"; // Invalid variable, produces "He ate two"
    echo "He ate two ${cake}s"; //Produces "He ate two Eclairs"
    [/php]

    For readability though, I do it your way :)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 101 ✭✭Basicilly


    that's working now. Really appreciate the help.....

    Cheers

    ;););)


  • Registered Users, Registered Users 2 Posts: 8,584 ✭✭✭TouchingVirus


    Basicilly wrote: »
    that's working now. Really appreciate the help.....

    Cheers

    ;););)

    Please, Please, Please do make sure you are sanitising all your variables from $_POST.

    Make sure there are no foreign characters or misformed queries in there.

    For example, if you do no validation/sanitising of your data this can happen

    Search Term: search_term%'; DROP TABLE <table>; --

    Now your SQL will look like this

    SELECT * FROM <table> WHERE <field> LIKE '%search_term%'; DROP TABLE <table>; --%;

    This will select data from the table, discard it and will drop (delete) the table that you were searching. It's very bad to not check for SQL Injection (unescaped characters). Assume your user is bad and knows what they are doing, don't assume it won't happen to you ;)


  • Registered Users, Registered Users 2 Posts: 101 ✭✭Basicilly


    Cheers

    :D


Advertisement