LaserLight, again, sorry

dcjones

Hi LaserLight,

Sorry to come back again but I had this working but now it is not and I can not see what I have done. This is the script

if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
  $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    

    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$currentPage = $_SERVER["PHP_SELF"];


$colname_search = "-1";
if (isset($_POST['search'])) {
  $colname_search = (get_magic_quotes_gpc()) ? $_POST['search'] : addslashes($_POST['search']);
}
$colname1_search = "-1";
if (isset($_POST['search'])) {
  $colname1_search = (get_magic_quotes_gpc()) ? $_POST['search'] : addslashes($_POST['search']);
}
$colname2_search = "-1";
if (isset($_POST['search'])) {
  $colname2_search = (get_magic_quotes_gpc()) ? $_POST['search'] : addslashes($_POST['search']);
}
$colname3_search = "-1";
if (isset($_POST['search'])) {
  $colname3_search = (get_magic_quotes_gpc()) ? $_POST['search'] : addslashes($_POST['search']);
}
mysql_select_db($database_Chandos, $Chandos);
$query_search = sprintf("SELECT * FROM chandos_books WHERE author_name LIKE '%%%s%%' OR book_title LIKE '%%%s%%' OR isbn_hardback = '%s'  OR isbn_paperback = '%s'" , GetSQLValueString($colname_search, "text"),GetSQLValueString($colname1_search, "text"),GetSQLValueString($colname2_search, "int"),GetSQLValueString($colname3_search, "int"));
$search = mysql_query($query_search, $Chandos) or die(mysql_error());
$row_search = mysql_fetch_assoc($search);
$totalRows_search = mysql_num_rows($search);

can you spot what is wrong, sorry to be a pain.

laserlight

Keep it simple when testing. The obvious problem in your code is that $_POST['search'] is being used time and time again for both text and numeric fields. Frankly, I think that GetSQLValueString() is more trouble than it is worth.

Just use mysql_real_escape_string (or a wrapper that checks for magic_quotes_gpc() and stripslashes() appropriately) with sprintf(). The sprintf() format flags can handle the numeric types for you:

$currentPage = $_SERVER["PHP_SELF"];

$author = isset($_POST['author']) ? $_POST['author'] : '';
$isbn_hardback = isset($_POST['isbn_hardback']) ? $_POST['isbn_hardback'] : 0;

mysql_select_db($database_Chandos, $Chandos);
$query_search = sprintf("SELECT * FROM chandos_books
                             WHERE author_name LIKE '%%%s%%'
                                OR isbn_hardback=%d",
                        mysql_real_escape_string($author),
                        $isbn_hardback);
$search = mysql_query($query_search, $Chandos) or die(mysql_error());
$row_search = mysql_fetch_assoc($search);
$totalRows_search = mysql_num_rows($search);

dcjones

Hi Laserlight.

I now have the following

$currentPage = $_SERVER["PHP_SELF"];

$author = isset($_POST['author']) ? $_POST['author'] : '';
$isbn_hardback = isset($_POST['isbn_hardback']) ? $_POST['isbn_hardback'] : 0;

mysql_select_db($database_Chandos, $Chandos);
$query_search = sprintf("SELECT * FROM chandos_books
                             WHERE author_name LIKE '%%%s%%'
                                OR isbn_hardback=%d",
                        mysql_real_escape_string($author),
                        $isbn_hardback);
$search = mysql_query($query_search, $Chandos) or die(mysql_error());
$row_search = mysql_fetch_assoc($search);
$totalRows_search = mysql_num_rows($search);

when I run the script using "wood" as the search the script return all the records in that database.

Can you advise please.

laserlight

Notice that you have to modify your test form to use the fields author and isbn_hardback. Ignore the other possible columns for now.