problem with user input search... I dont think its the sql

[reno73]

Hi all

i have been trying to get a query to display data based on a user's input from a form on the same page but i get nothing but internal error. I know the connection section is ok and the query statement is ok because if i change the where clause to... $query = "SELECT pm_name, recreation FROM pm_recreation where pm_name like 'm%' LIMIT 0, 30 ";
and run it separately with nothing else on the page it runs fine but if i have the where clause ... $query = "SELECT pm_name, recreation FROM pm_recreation where pm_name like '%$search' LIMIT 0, 30 "; then i get nothing but a blank page.. i have included my whole code

<html>
<head>
<title>Untitled Document</title>
</head>

<body>


<?php

if (isset($_POST['submitted'])) {
$search = $_POST['name'];
$errors = array(); // Initialize error array.


if (empty($_POST['name'])) {
$errors[] = "You forgot to enter Prime Minister's name.";
}

if (empty($errors)) {
/*connect to mysql */
require ('./includes/dbconfig.php');
$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');



mysql_select_db($dbname);
$query = "SELECT pm_name, recreation FROM pm_recreation where pm_name like '%$search' LIMIT 0, 30 ";
$result = mysql_query($query);

while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{

echo "Name :{$row['pm_name']} <br>" .
"Recreation : {$row['recreation']} <br><br>" ;


} else {

echo '<h1>Error!</h1>
<p class="error">The following error(s) occurred:<br />';
foreach ($errors as $msg) { // Print each error.
echo " - $msg<br />\n";
}
echo '</p><p>Please <a href ="contact.php"> go back and try again.</a></p><p><br /></p>';

} /

} else { ?>
<h2>Search Prime Minister's Recreations</h2>
<form action="mysearch.php" method="POST">
<p>Prime Minister's Name: <input type="text" name="name" size="20" maxlength="40" /></p>
<p><input type="submit" name="submit" value="Find" /></p>
<input type="hidden" name="submitted" value="TRUE" />
</form>
<?php
}
?>



</body>
</html>

thank you

 

[DonQuichote]

Well, $search is not defined if you do not post to the page. Is that it?

Furthermore, never use user-supplied input without escaping it properly first.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)

 

[reno73]

Hi
can you explain a bit more, as i'm just learning and i thought i had posted it eg in my form code <input type="text" name="name" size="20" maxlength="40" /></p>

then in following section of the php i defined $search=$_POST['name]


if (isset($_POST['submitted'])) {
$search = $_POST['name'];
$errors = array(); // Initialize error array.


if (empty($_POST['name'])) {
$errors[] = "You forgot to enter Prime Minister's name.";
}
sorry to bother you

 

[jpadie]

your sql query requires the name to end in the search string. this is quite odd for users, who typically search on the start of a name.

you might try either adding a % at the end of the search parameter.

and remember, as you have been told, to escape and cleanse your user input.

$query = "SELECT pm_name, recreation FROM pm_recreation where pm_name like '%'".trim(mysql_real_escape_string($search)) . "%' LIMIT 30 OFFSET 0";

 

[southbeach]

I normally use the syntax shown by jpadie (except that I just learned about using mysql_real_escape_string() in the past 24 hours) - but I mean is I do not use GLOBALS as it appears that reno73 is. Otherwise, the variable $search is added to $query as a literal not by reference.

$query = "SELECT pm_name, recreation FROM pm_recreation where pm_name like '%$search' LIMIT 0, 30 ";

The way I see it, if you echo $query you will see exactly that and $search was not replaced by its content as reno73 expects.

If you notice, jpadie syntax the variable $query is broken-up and he uses . to concatenate the strings.

Am I mistaken or making any sense at all?