Programming Forums > Web Development and Design > PHP

Intimidat0r · Feb 12th, 2006, 4:53 PM

I'm trying to write a search script in PHP. The idea is if somebody searched 'dog' it would return '123dog', 'dog123' and even '12dog3'. Things like that. In the variable $code I try to build a table that will be printed out, with all of the results. I know it's never even getting passed the if conditional, because I've tried putting a die("here I am") type thing there and it never die's. I'm thinking it's not a problem with my algorithm, but a problem such as a word getting added a null to the end of it when it gets read from the database or something along those lines. Does anybody have any idea what's wrong with it? Thanks very much.

(Toggle Plain Text)

$squery = $_GET['query'];
$query_result = mysql_query("SELECT id, money, username, power FROM users WHERE username!='".addslashes($_COOKIE['username'])."'", $conn);

$qr2 = mysql_query("SELECT power FROM users WHERE username='".addslashes($_COOKIE['username'])."'", $conn);
$r2 = mysql_fetch_assoc($qr2);
mysql_free_result($qr2);
$yourpow = $r2['power'];

while ($row = mysql_fetch_assoc($query_result))
{
  $current = $row['username'];
  for ($i = 0; $i <= strlen($squery); $i++)
    if (substr($squery, $i, strlen($squery)) == $current)
      $code = $code."<tr><td><a href=\"profile.php?id=".$row['id']."\">".$row['username']."</a></td><td>".$row['power']."</td><td>".$row['money']."</td><td>".$rel."</td></tr>";
}

DaWei · Feb 12th, 2006, 5:27 PM

Liberally sprinkle echo and print_r statements throughout your code to examine the important variables. Or use a debugger.

Pizentios · Feb 13th, 2006, 9:25 AM

what does $squery contain?

Intimidat0r · Feb 19th, 2006, 1:11 PM

DaWei: I'll try that.

Quote:

Originally Posted by Pizentios

what does $squery contain?

It's what they searched for.

DaWei · Feb 19th, 2006, 2:56 PM

In particular, output your query string with an echo. Then, in addition, have a failure of the query issue a mySql error message plus any additional error comment you'd like to make. When you're debugging, you need all the information you can get your hands on. When you're ready to release, then suppress it. Here's an example:

(Toggle Plain Text)

   $findQuery = "SELECT CustomerID, Extraction
	 	      FROM customers
		      WHERE Extraction='".$custExtraction."'";
   echo "Find query: ".$findQuery."<br/>";
   $status = mysql_query ($findQuery) or die (mysql_error()."order test 2");

Intimidat0r · Feb 21st, 2006, 8:56 PM

Ok, I put all that in, the query looks good, and Mysql isn't returning any errors or anything. It's probably something in my little algorithm. I'd just hate for it to be like when it reads from the DB it adds a null at the end or something like that thats screwing up the if conditional.

DaWei · Feb 22nd, 2006, 5:28 AM

If things are getting added, you've written code to add them. If there are things in the DB you don't expect, that could be improper field definitions. If you'll give a simple explanation of what your data looks like and a sample query that's failing, along with the code snippet you suspect, I'll whip up a small, similar DB and have a further look. If might help you if you print out the whole row you retrieve for a few rows, too. And print out $_GET ('query'), as you can't control what your user puts in. Consider treating the incoming data with mysql_real_escape_string, or at least compare it to what add_slashes does, for your own edification, and maximum protection from SQL injection attacks.

Intimidat0r · Feb 25th, 2006, 2:22 AM

Here's a screenshot of my database:

A sample query that is outputted:

(Toggle Plain Text)

SELECT id, money, username, power FROM users WHERE username!='intimidat0r'

the username!='intimidat0r' part is because if your name is intimidat0r you shouldnt be able to find yourself in the search. its generated by php, as in

(Toggle Plain Text)

... username!='".$_COOKIE['username']."'"

The code snipped i suspect is, well, what i posted in my first post.

Thanks for all your help.

DaWei · Feb 25th, 2006, 7:33 AM

Instead of searching your result set for a substring of the username, like this,

(Toggle Plain Text)

$current = $row['username'];
  for ($i = 0; $i <= strlen($squery); $i++)
    if (substr($squery, $i, strlen($squery)) == $current)

why don't you reduce the returned set by constructing the query like this,

(Toggle Plain Text)

$query_result = mysql_query (
   "SELECT id, money, username, power 
    FROM users 
    WHERE username LIKE '%$squery%' AND
              username!='".addslashes($_COOKIE['username'])."'", $conn);

Intimidat0r · Feb 26th, 2006, 6:54 PM

Because I didn't know SQL could do that

It seems there's always a simpler answer.

Many thanks.

Feb 12th, 2006, 4:53 PM	#1
Intimidat0r Hobbyist Programmer Join Date: May 2005 Location: Don't know, but the padded walls are a nice touch. Posts: 126 Rep Power: 0	Search script I'm trying to write a search script in PHP. The idea is if somebody searched 'dog' it would return '123dog', 'dog123' and even '12dog3'. Things like that. In the variable $code I try to build a table that will be printed out, with all of the results. I know it's never even getting passed the if conditional, because I've tried putting a die("here I am") type thing there and it never die's. I'm thinking it's not a problem with my algorithm, but a problem such as a word getting added a null to the end of it when it gets read from the database or something along those lines. Does anybody have any idea what's wrong with it? Thanks very much. (Toggle Plain Text) $squery = $_GET['query']; $query_result = mysql_query("SELECT id, money, username, power FROM users WHERE username!='".addslashes($_COOKIE['username'])."'", $conn); $qr2 = mysql_query("SELECT power FROM users WHERE username='".addslashes($_COOKIE['username'])."'", $conn); $r2 = mysql_fetch_assoc($qr2); mysql_free_result($qr2); $yourpow = $r2['power']; while ($row = mysql_fetch_assoc($query_result)) { $current = $row['username']; for ($i = 0; $i <= strlen($squery); $i++) if (substr($squery, $i, strlen($squery)) == $current) $code = $code."<tr><td><a href=\"profile.php?id=".$row['id']."\">".$row['username']."</a></td><td>".$row['power']."</td><td>".$row['money']."</td><td>".$rel."</td></tr>"; } $squery = $_GET['query']; $query_result = mysql_query("SELECT id, money, username, power FROM users WHERE username!='".addslashes($_COOKIE['username'])."'", $conn); $qr2 = mysql_query("SELECT power FROM users WHERE username='".addslashes($_COOKIE['username'])."'", $conn); $r2 = mysql_fetch_assoc($qr2); mysql_free_result($qr2); $yourpow = $r2['power']; while ($row = mysql_fetch_assoc($query_result)) { $current = $row['username']; for ($i = 0; $i <= strlen($squery); $i++) if (substr($squery, $i, strlen($squery)) == $current) $code = $code."<tr><td><a href=\"profile.php?id=".$row['id']."\">".$row['username']."</a></td><td>".$row['power']."</td><td>".$row['money']."</td><td>".$rel."</td></tr>"; } __________________ Children in the dark cause accidents, and accidents in the dark cause children. http://www.ronincoders.org

Feb 12th, 2006, 5:27 PM	#2
DaWei Resident Grouch Join Date: Jun 2005 Posts: 6,453 Rep Power: 10	Liberally sprinkle echo and print_r statements throughout your code to examine the important variables. Or use a debugger. __________________ Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code. Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Feb 13th, 2006, 9:25 AM	#3
Pizentios Programming Guru Join Date: May 2004 Location: Brandon, Manitoba, Canada Posts: 2,023 Rep Power: 7	what does $squery contain? __________________ Profanity is the one language that all programmers understand. Check out my Blog <---updated Nov 30 2007!

Feb 19th, 2006, 2:56 PM	#5
DaWei Resident Grouch Join Date: Jun 2005 Posts: 6,453 Rep Power: 10	In particular, output your query string with an echo. Then, in addition, have a failure of the query issue a mySql error message plus any additional error comment you'd like to make. When you're debugging, you need all the information you can get your hands on. When you're ready to release, then suppress it. Here's an example: (Toggle Plain Text) $findQuery = "SELECT CustomerID, Extraction FROM customers WHERE Extraction='".$custExtraction."'"; echo "Find query: ".$findQuery."<br/>"; $status = mysql_query ($findQuery) or die (mysql_error()."order test 2"); $findQuery = "SELECT CustomerID, Extraction FROM customers WHERE Extraction='".$custExtraction."'"; echo "Find query: ".$findQuery."<br/>"; $status = mysql_query ($findQuery) or die (mysql_error()."order test 2"); __________________ Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code. Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Feb 21st, 2006, 8:56 PM	#6
Intimidat0r Hobbyist Programmer Join Date: May 2005 Location: Don't know, but the padded walls are a nice touch. Posts: 126 Rep Power: 0	Ok, I put all that in, the query looks good, and Mysql isn't returning any errors or anything. It's probably something in my little algorithm. I'd just hate for it to be like when it reads from the DB it adds a null at the end or something like that thats screwing up the if conditional. __________________ Children in the dark cause accidents, and accidents in the dark cause children. http://www.ronincoders.org

Feb 22nd, 2006, 5:28 AM	#7
DaWei Resident Grouch Join Date: Jun 2005 Posts: 6,453 Rep Power: 10	If things are getting added, you've written code to add them. If there are things in the DB you don't expect, that could be improper field definitions. If you'll give a simple explanation of what your data looks like and a sample query that's failing, along with the code snippet you suspect, I'll whip up a small, similar DB and have a further look. If might help you if you print out the whole row you retrieve for a few rows, too. And print out $_GET ('query'), as you can't control what your user puts in. Consider treating the incoming data with mysql_real_escape_string, or at least compare it to what add_slashes does, for your own edification, and maximum protection from SQL injection attacks. __________________ Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code. Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Feb 25th, 2006, 2:22 AM	#8
Intimidat0r Hobbyist Programmer Join Date: May 2005 Location: Don't know, but the padded walls are a nice touch. Posts: 126 Rep Power: 0	Here's a screenshot of my database: A sample query that is outputted: (Toggle Plain Text) SELECT id, money, username, power FROM users WHERE username!='intimidat0r' SELECT id, money, username, power FROM users WHERE username!='intimidat0r' the username!='intimidat0r' part is because if your name is intimidat0r you shouldnt be able to find yourself in the search. its generated by php, as in (Toggle Plain Text) ... username!='".$_COOKIE['username']."'" ... username!='".$_COOKIE['username']."'" The code snipped i suspect is, well, what i posted in my first post. Thanks for all your help. __________________ Children in the dark cause accidents, and accidents in the dark cause children. http://www.ronincoders.org

Feb 25th, 2006, 7:33 AM	#9
DaWei Resident Grouch Join Date: Jun 2005 Posts: 6,453 Rep Power: 10	Instead of searching your result set for a substring of the username, like this, (Toggle Plain Text) $current = $row['username']; for ($i = 0; $i <= strlen($squery); $i++) if (substr($squery, $i, strlen($squery)) == $current) $current = $row['username']; for ($i = 0; $i <= strlen($squery); $i++) if (substr($squery, $i, strlen($squery)) == $current) why don't you reduce the returned set by constructing the query like this, (Toggle Plain Text) $query_result = mysql_query ( "SELECT id, money, username, power FROM users WHERE username LIKE '%$squery%' AND username!='".addslashes($_COOKIE['username'])."'", $conn); $query_result = mysql_query ( "SELECT id, money, username, power FROM users WHERE username LIKE '%$squery%' AND username!='".addslashes($_COOKIE['username'])."'", $conn); __________________ Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code. Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers

Feb 26th, 2006, 6:54 PM	#10
Intimidat0r Hobbyist Programmer Join Date: May 2005 Location: Don't know, but the padded walls are a nice touch. Posts: 126 Rep Power: 0	Because I didn't know SQL could do that It seems there's always a simpler answer. Many thanks. __________________ Children in the dark cause accidents, and accidents in the dark cause children. http://www.ronincoders.org

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Programming Forums > Web Development and Design > PHP

Search script