[Resolved] Perform Search, Display results...

Garry2004

Hello,

Newbie question again. I have been looking through the forums, my reference books and online for about a week and still can't seem to get my answer on my own.

I have some simple form code.

I have a text field and a submit button as a means of entering a part number.

This is the "submitsearch.php" code. What I am trying to accomplish is have the number submitted be used for a search in the parts table and return a profile for the matching part.

<?php echo $_POST["partnum"]; ?> is the part number you are looking for.
<?php
$conn=pg_pconnect("dbname=blah user=blahblah password=blahblah1");
$lookup=pg_exec($conn, "SELECT * FROM parts WHERE part_number='$partnum'");

if(isset($_POST['partnum'])) {
echo "Great! You clicked the button!\n";
} else {
echo "Hmm...you must have come to this script without clicking the button.\n";
}
{

echo '<table BORDER="1" ALIGN="LEFT">
<tr><th>Part Number</th><th>Description</th></tr>';
while($row = pg_fetch_array($lookup))
echo '<tr><td>'.$row['part_number'].'</td><td>'.$row['part_desc'].'</td></tr>';

echo '</table>';
}
?>

Any help would be greatly appreciated.

Pig

FFS man, don't post up your user name and passwords! Edit those out.

In your query, you use $partnum, but everywhere else you use $POST[partnum]. Do you have globals on? You should stick with one format for your vars ($POST format is better).

Also, specify what your problem is. Where is it failing.

Garry2004

Pig, thanks again.

I don't know WTF happened there. I had typed what is there now, but it somehow reverted back to the original. No biggy though. It's running on one machine for experimental, no outside connectivity and no one has even physical access to it.

The problem is that I type in a part number (i.e. 35-24000) which is an actual part in the parts table and when I submit all I get are the table column titles without any data being returned.

I'll mess with the variable as you suggest.

Garry2004

Here is my code again, with the minor change to $partnum in the $_POST being declared as just "partnum".

<?php echo $_POST["partnum"]; ?> is the part number you are looking for.
<?php
$conn=pg_pconnect("dbname= user= password=");
$lookup=pg_exec($conn, "SELECT * FROM parts WHERE part_number='partnum'");

if(isset($_POST['partnum'])) {
echo "Great! You clicked the button!\n";
} else {
echo "Hmm...you must have come to this script without clicking the button.\n";
}
{

This next portion is where I think I am having the problem, not sure though. I am passing the variable 'partnum' to 'submitsearch.php', then calling that variable in the WHERE part of the query and assigning the result to the $lookup variable.

One other quick question, when you said I should use the same type of variable naming, did you mean to choose to either use the "$" for all or none?

{

echo '<table BORDER="1" ALIGN="LEFT">
<tr><th>Part Number</th><th>Description</th></tr>';
while($row = pg_fetch_array($lookup))
echo '<tr><td>'.$row['part_number'].'</td><td>'.$row['part_desc'].'</td></tr>';

echo '</table>';
}
?>

This is the output:
35-24000 is the part number you are looking for. Great! You clicked the button!
Part Number Description

Asking help again, thanks.
G

Garry2004

Hello,

I still have not resolved the issue as outlined in my last post. Can I get some more help please.

I was contemplating the issue over the weekend and I am now wondering if I have an SQL issue. Here is why I say that.

In most of the examples I see in my PostgreSQL and PHP books when dealing with queries, I have not seen even one example of passing a variable obtained from a user being fed back directly into the SELECT query. So, this is making me question whether I am just going about this all the wrong way.

It looks like I have to get a result set from the "parts" table as something like "SELECT * FROM parts" and then extract the actual part number from the result set that has been submitted by the user? I thought I could just pass the variable from the user directly to the SQL query, but I think I am mistaken? Can anyone confirm this for me and possibly give me an example of what the right way looks like?

Thanks a heap.
G

Pig

Well, 2 pieces to your question. You should be fine passing form data into a query as far the data is concerned. HOWEVER!!! you should always have a defense measure against sql injection. For instance, if someone entered this as a part number:
1';DROP TABLE parts

Then the database would read:
SELECT * FROM parts WHERE part_number='1';DROP TABLE parts

As you know, a ; is the end of command character, and the database would execute both lines of code. Make sure you have magic_quotes on, and it shouldn't be a problem.

Anyway, your query is also messed up still. That is where I was referring to the variable scope. YOu have:
SELECT FROM parts WHERE part_number='partnum'
You see the issue? Unless you have defined partnum as a constant, you are asking the database to literally match 'partnum', not a variable. It should be:
SELECT FROM parts WHERE part_number=' . $_POST['partnum'] . '

I don't know PostgreSQL, but I do know SQL and your SQL is still a bit messed up. Try that and see.

Garry2004

Hi Pig,

Thanks man, much appreciated. I had to take this

SELECT * FROM parts WHERE part_number=' . $_POST['partnum'] . '

and change it to

SELECT * FROM parts WHERE part_number=' $_POST[partnum] '

and it worked great. Note: no single quote inside square brackets and no period after or before the $_POST[partnum]

Finally can move on.🆒