|
|
 |
|
|
Thread Tools | Display Modes |
Feb 21st, 2006, 6:04 AM
|
#1 |
|
Programmer
Join Date: Feb 2006
Posts: 40
Rep Power: 0
 |
A complicated php,form,mysql
in search.php,I have 5 fields and I am passing those variables by get method to the search2.php. I want search2.php to perform a database search according to the information entered by the user and print the result to the search2.php. Everything is ok.Queries,tables.However,I need to be guided about how am I going to search the database with only one key.If I had known which fields are empty and which fields are not,I would write the query according to this.I tried to use isset function for that,however it is always returning true because Im getting them by the post method just like this ;
$ilk = @$_POST["ilktarih"]; So I think it is always returning true because it is initialized at the beginning of the search2.php although I user doesnt enter anything to the fields. One more thing,Even if I could use the isset function efficiently, there are 5 fields and there are lots of combinations of filling those fields(ex:filling just one,filling the one at the top and the bottom,filling them all).It takes lots of time to write if checks and write the query again and again according to the if checks.Im asking this because I dont know how these kind of searches are coded. If anybody helps me how to run a query with only one button and make the database bring me the information,I would be grateful. SEARCH.PHP <body> <form name="send" method="post" action="search2.php"> <a style="size:auto ">Baslangiç tarihi : </a> <input type="text" name="ilktarih" size="30" ><br><br> <a style="size:auto ">Bitis tarihi : </a> <input type="text" name="sontarih" size="30" ><br><br> <a style="size:auto ">From : </a> <input type="text" name="from" size="30" ><br><br> <a style="size:auto ">To : </a> <input type="text" name="to" size="30" ><br><br> <a style="size:auto ">From : </a> <select name="spamlist"> <option value="UNSAFE">UNSAFE <option value="SAFE">SAFE <option value="BODY">BODY <option value="ATTACH">ATTACH <option value="VIRUS">VIRUS <option value="EMPTY">EMPTY <option value="ERROR">ERROR </select><br><br> <input type="submit" value="SEARCH"> </form> SEARCH2.PHP <body> <? $ilk = @$_POST["ilktarih"]; $son = @$_POST["sontarih"]; $from = @$_POST["from"]; $to = @$_POST["to"]; $spam = @$_POST["spamlist"]; /*$a=array($ilk,$son,$from,$to); for($i=0;$i<5;$i++) { if(isset($a[$i])){ $set[$i]=true; echo $set[$i]; } }*/ $dbhost = '127.0.0.1'; $dbuser = 'root'; $dbpass = '05364304334'; $conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql'); $dbname = 'kutay'; mysql_select_db($dbname); $query ="select * from t1"; if(empty($ilk) && empty($son) && empty($from) && empty($to)){ $query = $query . " where stats=' $spam'"; } $result=mysql_query($query,$conn) or die('Error: '.mysql_error().' -- Query: '.$query); echo "<table border=1>\n"; echo "<tr><td>Rowcount</td><td>Date</td><td>Time</td><td>Status</td><td>Queue</td><td>Recvfrom</td><td>From</td><td>To</td><td>Subject</td><td>Spam</td><td>Rule</td></tr>\n"; $count=1; while ($myrow = mysql_fetch_row($result)) { printf("<tr><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td><td>%s</td></tr>", $count, $myrow[1], $myrow[2], $myrow[3], $myrow[4], $myrow[5], $myrow[6], $myrow[7], $myrow[8], $myrow[9], $myrow[10]); $count++; } echo "</table>\n"; ?> |
|
|
|
Feb 21st, 2006, 6:11 AM
|
#2 |
|
Programming Guru
 
Join Date: Aug 2005
Location: England
Posts: 1,499
Rep Power: 5
|
1. Use code tags.
2. should not be used for page layout purposes. 3. Your code is vulnerable to SQL injection attacks. 4. I don't understand your problem. Perhaps if you explained exactly what you wish to do, in as much detail as possible? |
|
|
|
|
Feb 21st, 2006, 6:21 AM
|
#3 |
|
Programmer
Join Date: Feb 2006
Posts: 40
Rep Power: 0
|
What else can I do for layout??What do u mean saying vulnurable to SQL attacks and how can I come over them??
My problem is briefly to search a database according to the information given in the form.But the problem is I dont know which fields the user is going to enter... |
|
|
|
|
Feb 21st, 2006, 7:20 AM
|
#4 |
|
Resident Grouch
Join Date: Jun 2005
Posts: 6,453
Rep Power: 10
|
If SQL injection means nothing to you, you should Google and do some research immediately. Right after reading the forum's rules/FAQ and a "How to Post..." thread. Then some material on (X)HTML and CSS and the uses thereof for achieving reasonably decent layout that works (mainly, one hopes) cross-browser.
__________________
Abstraction doesn't make it impossible to write bad code; it makes it possible to write superior code. Contributor's Corner: Grumpy on C++ Exceptions DaWei on Pointers |
|
|
|
|
Feb 21st, 2006, 8:12 AM
|
#5 | |
|
Programming Guru
Join Date: Aug 2005
Location: England
Posts: 1,499
Rep Power: 5
|
Quote:
$name = $_POST['name'];
$age = $_POST['age'];
$address = $_POST['address'];
$searches = array();
if ($name != "") {
$searches[] = sprintf("name = '%s'", mysql_real_escape_string($name));
}
if ($age != "") {
$searches[] = sprintf("age = '%s'", mysql_real_escape_string($age));
}
if ($address != "") {
$searches[] = sprintf("address = '%s'", mysql_real_escape_string($address));
}
$query = "SELECT * FROM people WHERE " + join(" AND ", $searches);Finally, the SQL query string is created, with the where clause made up of all the search restrictions joined together with "AND"s. So if the use was looking for a person named "Bob" who was 25 years old, the SQL query would look like: "SELECT * FROM people WHERE name = 'Bob' AND age = '25'" Note that I encase all my strings in the mysql_real_escape_string function before sending them to the database. If I do not do this, my SQL could potentially be subverted by malicious user input. That's what SQL injection attacks are. Google them for more info. |
|
|
|
|
|
| Bookmarks |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
