[RESOLVED] Search not working, can anyone help?

TrielD

Hi,

I am hoping you can point out what I am doing wrong. I have been looking at this thing all day long and I am drawing a blank! 😕

I will attach my php files, I made them txt files and took out my login and password but they are exactly the same otherwise.

The search works just great, it loads all the authors from the database only once like it is suppose to. Then once I select which author I want it only brings up a blank page with the headings. It seems like I must be passing the parm wrong or something???? It is suppose to take the author you picked from the drop down list and get all the quotes by that author to display.

Any pointers?? I would sure appreciate it! Thanks!

bradgrafelman

Arrays, more specifically items in arrays referenced by indeces, should not simply appear inside a double-quoted string. If they do, they should be wrapped in braces ( {} ). Instead, I usually escape out of the string and concatenate the array in the middle, like so:
```
echo 'Your name is: ' . $row['name'] . '! Hello there.';
```
In the 'srch' script, you never define $search. It looks like you were relying on register_globals being enabled. If it is enabled, you should disable it. Either way, use the appropriate superglobal array (e.g. $GET or $POST) to access the variable you're after. For more information about these arrays, see this manual page: [man]variables.prefined[/man]
Since $search is populated with user-supplied data, you should NEVER use it directly in a query. All user-supplied data should be sanitized by a function such as [man]mysql_real_escape_string/man before it is used in a SQL query. Otherwise, you're leaving yourself vulnerable to a SQL injection attack.
For optimization sake, you should never do a "SELECT *" query - this usually wastes resources. Instead, only select the columns that you're actually going to be using.
In refereince to the 'srch' script on line 8: Instead of code such as
```
if (!$variable) {
```
, you should be using something like:
```
if (!isset($variable)) {
```

TrielD

bradgrafelman wrote:
1. Arrays, more specifically items in arrays referenced by indeces, should not simply appear inside a double-quoted string. If they do, they should be wrapped in braces ( {} ). Instead, I usually escape out of the string and concatenate the array in the middle, like so:
echo 'Your name is: ' . $row['name'] . '! Hello there.';
In the 'srch' script, you never define $search. It looks like you were relying on register_globals being enabled. If it is enabled, you should disable it. Either way, use the appropriate superglobal array (e.g. $GET or $POST) to access the variable you're after. For more information about these arrays, see this manual page: [man]variables.prefined[/man]

Since $search is populated with user-supplied data, you should NEVER use it directly in a query. All user-supplied data should be sanitized by a function such as [man]mysql_real_escape_string/man before it is used in a SQL query. Otherwise, you're leaving yourself vulnerable to a SQL injection attack.

For optimization sake, you should never do a "SELECT *" query - this usually wastes resources. Instead, only select the columns that you're actually going to be using.
In refereince to the 'srch' script on line 8: Instead of code such as
if (!$variable) {
, you should be using something like:
if (!isset($variable)) {

ummm I am confused I guess. I am calling search.php first which "posts" and calls srch.php. Does it not pass the $search???

as for your #3 it is being populated by the mySQL database with the authors in the table and not by user-supplied data.

I understand where you are coming from on #5 but this is just to help me with php and is a small table, it only has ID#, quote and author in it and I want both quote and author.

Can you maybe explain a little better on the parameter? By my code? The action calls my srch script and the method is post.

bradgrafelman

TrieID wrote:
I am calling search.php first which "posts" and calls srch.php. Does it not pass the $search???

No, it doesn't. At least, it shouldn't, because register_globals should be disabled.

What you need to do is reference this variable using the $_POST array (since you're POSTing data). Again, information on this array (and its friends) can be found on this manual page: [man]variables.predefined[/man].

TrieID wrote:
as for your #3 it is being populated by the mySQL database with the authors in the table and not by user-supplied data.

While this is technically true, you need to think of "user-supplied data" as "data that the user or the user's browser has had the opportunity of seeing before reaching the script." If someone wanted, they could easily POST whatever information they wanted to your script. Sure, you think that the POST'ed variable contains information from your DB, but a malicious user still has the opportunity of altering this field and sending any sort of data he/she wishes. That's why sanitizing all data provided by outside sources - no matter what - is important.

TrielD

Thanks for your quick help. I got it all working and understand much better! 🙂