Passing data from HTML form to PHP

[ChrisRChamberlain]

Hi all

Following thread434-1351433 decided to create a site search engine in a mix of VFP and PHP.

The following barebones PHP script correctly queries the database and retrieve the page links etc.

What am uncertain of is how to 'send' the data from the HTML form to assign to the variable $searchstring currently hard coded in the example.

<html>
<head>
<title>Search results</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body bgcolor="#FFFFFF">

<?php

	//connect to the database
    $connectionstring = odbc_connect("vfptable", "", "");

    //	searchstring passed from form
   	$searchstring	= "[Display]";

	//	Get number of records
    $countQuery = "SELECT COUNT(*) FROM pagedata ".
    	"where $searchstring $ innertext";
	$result = odbc_exec($connectionstring, $countQuery);

	odbc_fetch_row($result,0);
	$numRecords = odbc_result($result, 1);

    //	Execute search query
	$Query = "SELECT * FROM pagedata ".
	   	"where $searchstring $ innertext";
    $queryexe = odbc_do($connectionstring, $Query);


    //	Query database
	print ("Total instances found is ".$numRecords);
	print ("<br>");
	print ("<br>");

	$instances=0;
    while(odbc_fetch_row($queryexe))
    {
    $filename = odbc_result($queryexe, 1);
    $title = odbc_result($queryexe, 2);
	$dispstring = odbc_result($queryexe, 4);

	print ("$instances"+1);
	print (".");
  	print ("&nbsp;");
  	print ("<a href='$filename'>$title</a>");
  	print ("<br>");
	print ("$dispstring");
  	print ("<br>");
  	print ("<br>");
  	$instances=$instances+1;
 	}

    //disconnect from database
    odbc_close($connectionstring);

    ?>

</body>
</html>

Any quidance would be appreciated.

TIA

FAQ184-2483 - answering getting answered.​

Chris
PDFcommander.com
motrac.co.uk

 

[jpadie]

i may be misunderstanding you Chris, but would the variable not be available as normal in the $_POST/$_GET superglobals?

 

[ChrisRChamberlain]

jpadie

Thanks for your reply

This is the code in the HTML form

    <form action="sitesearch.php" method="post">
      <input name="searchstring" type="text" style='font-size: 8pt' size="11">
      <input name="goButton" type="submit" style='font-size: 7pt' value="Go">
    </form>

Thsi is the amended code in the PHP script and where it fails

	$searchstring = $_POST['searchstring'];
	$searchstring = "[" + $searchstring + "]";

The '[]' are required for the SQL string.

FAQ184-2483 - answering getting answered.​

Chris
PDFcommander.com
motrac.co.uk

 

[ChrisRChamberlain]

Somewhat clunky but it works

$left = '[';
$right = ']';
$searchstring = $left.$searchstring.$right;

Any better way?

FAQ184-2483 - answering getting answered.​

Chris
PDFcommander.com
motrac.co.uk

 

[Tarwn]

$searchstring = "[" . $searchstring . "]";
$searchstring = "[$searchstring]";

Warning, I'm not even halfway into my first cup of coffee, but both of those should work.

However, I think before plugging that value in to the string you should probably do some tests or replaces on the string to make sure there aren't any bad characters in it. Not knowing VFP very well (almost not at all) I couldn't gues what those may be, but at a minimum you should replace any square brackets in the string before you put your brackets around it.

-T

 

[jpadie]

I agree with Tarwn.

Chris - the concatenate operator in php is a dot (.) and not + (javascript). that was the source of the problem.

but ... basic rule here: never trust user input. always check that the input is of the type and in the range that you expect, cleanse it of spurious whitespace and then escape it before using in a db query.

 

[ChrisRChamberlain]

Tarwn, jpadie

You're right - the use of either or both square brackets within the search string may cause a PHP error and therefore requires a new thread.

Thanks for both your inputs in resolving the contatenation issue.

FAQ184-2483 - answering getting answered.​

Chris
PDFcommander.com
motrac.co.uk