Jiin

Solved it. Here is the relevant SQL code followed by the html/php: SELECT * FROM rental_properties WHERE Country = 'USA' AND Neighborhood = 'Madison at Soho' AND TYPE = 'condominium' AND City = 'NewYork' AND Bedrooms = '2' AND Bathrooms = '2' AND Rent BETWEEN 500 AND 1500 LIMIT 0 , 30 And the html/php <?php //White List method to sanitize user input function clean($input) { return preg_replace('/[^a-zA-Z0-9\s]_/', '', $input); //only allows letters, numbers spaces and underscores. } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Safe Form</title> </head> <body> <form action="" method="POST"> <input name="Neighborhood" type="text" id="Neighborhood"> <input name="Type" type="text" id="Type"> <input name="City" type="text" id="City"> <input name="Bedrooms" type="text" id="Bedrooms"> <input name="Bathrooms" type="text" id="Bathrooms"> <input name="Min_Rent" type="text" id="Min_Rent"> <input name="Max_Rent" type="text" id="Max_Rent"> <input type="submit" name="Submit" value="Submit"> <input name="reset" type="reset" id="reset" value="Reset"> </form> <?php //Build base query, I automatically add "Country = USA" so I don't have to programaticaly determine to use mysql syntax "x = y" or "And x = y" $query = "SELECT * FROM rental_properties WHERE Country = 'USA'"; foreach($_POST as $key => $value) { $cleankey = clean($key); $cleanvalue = clean($value); if($cleankey == 'Neighborhood' && $cleanvalue != '') { $query .= " AND $cleankey = '$cleanvalue'"; } elseif($cleankey == 'Type' && $cleanvalue != '') { $query .= " AND $cleankey = '$cleanvalue'"; } elseif($cleankey == 'City' && $cleanvalue != '') { $query .= " AND $cleankey = '$cleanvalue'"; } elseif($cleankey == 'Bedrooms' && $cleanvalue != '') { $query .= " AND $cleankey = '$cleanvalue'"; } elseif($cleankey == 'Bathrooms' && $cleanvalue != '') { $query .= " AND $cleankey = '$cleanvalue'"; } elseif($cleankey == 'Min_Rent' && $cleanvalue != '') { $min_rent = $cleanvalue; } elseif($cleankey == 'Max_Rent' && $cleanvalue != '') { $max_rent = $cleanvalue; } } if($min_rent != '' && $max_rent != '') { $query .= " AND Rent BETWEEN $min_rent AND $max_rent"; } echo "The SQL is:<br /> $query"; ?> </body> </html>

I know.

Perhaps I can determine which $_POST variables are set and append each one to the end of the mysql WHERE statement. This will generate a query based only on valid $_POST['var']'s , in other words only append the values to the query that the user set via the form. I will post the code when I get it working.

Hey dude, this isn't the OpenBSD user group. I don't recall blaming mysql, I recall describing my issue and asking for help.

LAMP, php: 5, mysql: 5.1.47 I have an html form with multiple drop down boxes enabling customers to search for property. They can use all of the boxes or some of the boxes to perform the search. Ideally customers should be able to use the search criteria they want to use(The drop down boxes they choose) and they are returned appropriate results. The problem is the unused search boxes cause the mysql SELECT parameter variables to be empty. When I query my db with an empty variable it gives me the following message: MySQL returned an empty result set (i.e. zero rows). ( Query took 0.0005 sec ) When I query it using all the varibles(all the drop down boxes) then it works fine. My query is: SELECT * FROM rental_properties WHERE City = '$maybe_empty_postvar' AND TYPE = '$maybe_empty_postvar' AND Bedrooms = '$maybe_empty_postvar' AND Bathrooms = '$maybe_empty_postvar' AND Neighborhood = '$maybe_empty_postvar' AND Price = '$maybe_empty_postvar' LIMIT 0 , 30 I am stuck Does anyone have any suggestions how I can solve this issue?

Most excellent advice gentlemen. I will implement and re-post code. FREAK OUT

Who was that masked man? That worked. Thank you so much! My white list holy grail of form input validation accomplished! Code adopted from: http://php.net/manual/en/control-structures.foreach.php The working code: --------------------------------------------- <?php //Designed to clean HTML form $_POST, note $_POST is normally a associative array //but could be manipulated to become a multi-dimensional array so why not clean both? //Also protects against $_POST key and value poisoning //clean() function allow recursing; arrays passed by reference to clean function and foreach loop function clean(&$array) { foreach ($array as &$data) { // If it's not an array, clean it if (!is_array($data)) { $data = preg_replace('/[^a-zA-Z0-9\s]/', '', $data); //Allow only letters, numbers and spaces but could addslashes(), mysql_real_escape_string() or whatever echo "$data<br />"; } else { // array not broken down yet so keep calling the function on it until it is broken down clean($data); } } } // Output clean($_POST); ?>

Bueller.....

Nothing much comes to mind but you could strace it, or have cron strace it. strace -f to follow branches/forking HTH

So it occurred to me to loop through the $_POST associative array and then I thought maybe h@xors could force extra arrays into the $_POST making it a multi-dimensional array. If I understand correctly preg_replace doesn't operate on multi-dimensional arrays so then maybe this code will work. Gurus please confirm. //Designed to clean HTML form $_POST, note $_POST is normally a associative array //but could be manipulated to become a multi-dimensional array so why not clean both? //clean() function allow recursing; arrays passed by reference function clean(&$_POST) { foreach ($_POST as &$data) { if (!is_array($data)) { // If it's not an array, clean it //Allow only letters, numbers and spaces $data = preg_replace('/[^a-zA-Z0-9\s]/', '', $data); // addslashes(), mysql_real_escape_string() or whatever } else { // If it IS an array, keep calling the function on it until it is broken down clean($data); } } }

Perhaps an escape html characters regex? Ensure the html characters are escaped appropriately for your database.

Hello All, env: php5 Linux I am concerned about XSS and co related vulnerabilites. I am using a alphanumberic "white list" technique. Is the form sufficient and are there any additional concerns/gotchas? The Code: ----------------------------- <?php function clean($input) { return preg_replace('/[^a-zA-Z0-9\s]/', '', $input); //only allows letters, numbers and spaces } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" > <head> <title>Safe Form</title> </head> <body> <form action="" method="POST"> <input name="username" type="text" id="username"> <input name="password" type="password" id="password"> <input type="submit" name="Submit" value="Submit"> <input name="reset" type="reset" id="reset" value="Reset"> </form> <?php echobr(clean($_POST['username'])); echobr(clean($_POST['password'])); ?> </body> </html>

Thank you jdavidbakr! I really like your ideas and will be using some of them in other parts of my code but I don't fully understand how to apply them to this situation. Let me explain again and maybe we can meet in the middle. Imagine a person wanting to buy a new home comes to our website and fills out a HTML form to help them with their search. The form has 30 different fields they can use to tailor their home search. I don't know which ones they are going to use until my script accesses $_POST['whatever'] vars. So they won't always use the mls_id to search. The script then takes the multiple search criteria and only shows xml nodes(i.e. properties) that match ALL the search criteria. The XML I posted above is an example of ONE xml node in a much larger XML file. As it now, I am using multiple IF (price <= x) && (bedrooms => 3) && (exp) && (exp) && (exp).... this is very ugly. Looking for better way && XML solution Thanks again for the reply.

Here is an example XML node I am matching against: <property> <mls_id>007</mls_id> <other_id>4321</other_id> <country>USA</country> <state>Florida</state> <city>Tampa</city> <zip>33624</zip> <address>310 Big Blvd</address> <type>Single Family Home</type> <for_sale>yes</for_sale> <price>200000</price> <for_rent>yes</for_rent> <rent>800</rent> <deposit>800</deposit> <year_built>1990</year_built> <square_feet>1500</square_feet> <gatecode>1212</gatecode> <lockbox>yes</lockbox> <lockbox_number>1221</lockbox_number> <date_available>10/10/2010</date_available> <listing_agent>Jiin</listing_agent> <listing_agent_phone>555-555.1212</listing_agent_phone> <listing_agent_email>listingagent@email.com</listing_agent_email> <property_manager>Tampa Home Locators</property_manager> <owner_name>Bob Dobalina</owner_name> <owner_phone>555-555.1010</owner_phone> <owner_email>owner@email.com</owner_email> <tenant>Joe Blow</tenant> <description>Beautiful Single Family Home</description> <bedrooms>3</bedrooms> <bathrooms>3</bathrooms> <listing_date>10/10/2010</listing_date> <listing_expdate>10/10/2011</listing_expdate> <listing_last_modified>10/10/2010</listing_last_modified> <feature>na</feature> <image1>/images/mypic.jpg</image1> <image2>na</image2> <image3>na</image3> <image4>na</image4> <general_comments>Beautifly ensconced in the mountains</general_comments> <showing_comments>This one is going to sell quickly!</showing_comments> <submit>submit</submit> <Update>submit</Update> </property>

Thank Ya, Thank Ya very much! Env: php5 server side Linux My code is supposed to: 1) Accept multiple search parameters from an HTML form 2) Search through xml file looking for nodes that match all search parameters 3) Display matched xml nodes The code works, it just seems REALLY INEFFICIENT. Does anybody have any suggestions? <?php $xmlfile = simplexml_load_file('master.xml'); //print_r($xmlfile); // foreach($xmlfile->property as $item) { if ( ("$item->address" == "2012 Cosmic Highway") && ("$item->state" == "Florida") && ("$item->city" == "Tampa") //**I actuall have 30+ search parameters to match, so my IF statement becomes very LONG ) { echo "FOUND MATCH FOR:<br /> $item->state <br /> $item->city <br /> $item->address"; } } ?>

You will have to put it in a foreach loop but here is a good start: <?php $xmlfile = simplexml_load_file('t.xml'); $colname = $xmlfile->xpath('/result/rows/row/column/@name'); echo $colname[0]; ?>

It seems like you are trying to parse xml attributes: <column [b]name="osis number"[/b]>209959568</column> I googled "parsing xml attributes with php" and hit these links: http://paulstamatiou.com/how-to-parse-xml-with-php5 http://www.webmasterworld.com/forum26/326.htm I hope one of those will get you started in the right direction Keep us posted.

Well, I sort of rewrote the entire thing but it works. So now the code does the following: 1) Retrieves $_POST variables to determine if we are going to [upate] or [remove] a file 2) If [update] then allow open xml file into html form and allow user to edit, then re-submit 3) If [remove] then unlink file Thank you for the tips. I employed a couple and am open to more. Please set your phasers to stun not RED <?php session_start(); if ($_SESSION["login"] != "true"){ header("Location:login.php"); $_SESSION["error"] = "<font color=red>You don't have privileges to see the admin page.</font>"; exit; } //Including functions include '../php_functions.php'; //Set file name we will be working with $file2update = $_POST["file"]; if($_POST["choice"] == "Remove") { unlink($file2update); exit("Removed $file2update"); } elseif($_POST["choice"] == "Update") { //Ensure file exists if (!is_file("$file2update")) { die("Error, $file2update does not exist."); } //Open xml file we are updating and load into HTML form $xml = simplexml_load_file("$file2update"); echo "Edit the information and click \"submit\" <br /><br />"; ?> <form action="<?php echo htmlentities($_SERVER['PHP_SELF']);?>" method="POST"> <?php foreach($xml->children() as $child) { $xmltagname = $child->getName(); echo $xmltagname . ": " . $child . "<br />"; echo "<input type=\"text\" size=\"60\" name=\"$xmltagname\" value=\"$child\" />"; echo "<br /><br /><br />"; } echo "<input type=\"submit\" name=\"Update\" value=\"submit\" />"; echo "</form>"; } ?> <?php //If the form has already been submitted then send data to XML file if(isset($_POST['Update'])) { //HTML form data will be saved as XML file //XML file will be named after HTML address field //Convert spaces to underscores so we have no space in our file name $newname = spaces2Underscore($_POST["address"]); //Write new file $newxmlfile = "$newname.xml"; //Open file for writing $fp = fopen($newxmlfile, "w") or die("Unable to create: $newxmlfile"); //Write date from HTML form to XML file fputs ($fp, "<property>\n"); foreach ($_POST as $key => $value) { $line ="<".$key.">".$value."</".$key.">\n"; //echo $line; fputs($fp, "$line"); } fputs ($fp, "</property>"); //Close file fclose($fp); echo "<h1>You have successfully updated $newxmlfile</h1>"; echo "<a href=\"index.php\">Return to Admin Panel</a>"; } ?>

Wow man, the RED is really bright! Thanks for the warning and the $_POST stash. I will upload working code.

Maybe you could echo the $html to a file and then: $fh = fopen("myfile.txt", "r"); while(i=0,i<2,i++) { $line = fgets($fh); array=('1stpart of line one' => 'second part of line one', '1stpart of line two' => 'second part of line two'); echo $array[0]; echo $array[1]; }

Hello All, Thanks in advance! Running php5 on Linux, server side. My code is supposed to: 1) Accept a variable from a previous clicked page via the RemoveProperty.php?propertyremove=thisfile.xml 2) Open and display the file to user, ensuring they REALLY want to delete the file 3) Delete the file Steps 1 & 2 are working, as soon as I hit step 3 I loose the contents of the variable($_GET['propertyremove']) i.e. the file I want to remove and therefore cannot delete the file. Step 3 is activated, it just doesn't work. I think it has something to do with $_SERVER['PHP_SELF'] reloading the page loosing the variable or my placement of <?php ?> tags. I am not sure, ANY help is greatly appreciated! Problem Script: -------------------------------------- <?php //Including functions include '../php_functions.php'; //file to remove is located in $_GET['propertyremove'] $file2remove = $_GET['propertyremove']; if(isset($_GET['propertyremove']) && !isset($_POST['submit'])) { //Ensure file exists if (!is_file("$file2remove")) { die("Error, $file2remove does not exist."); } //Open xml file we are removing and load into HTML form $xml = simplexml_load_file("$file2remove"); echo "If YOU ARE YOU SURE you want to remove $file2remove then click \"remove\" <br /><br />"; ?> <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST"> <?php foreach($xml->children() as $child) { $xmltagname = $child->getName(); echo $xmltagname . ": " . $child . "<br />"; echo "<input type=\"text\" size=\"60\" name=\"$xmltagname\" value=\"$child\" />"; echo "<br /><br /><br />"; } echo "<input type=\"submit\" name=\"submit\" value=\"submit\" />"; echo "</form>"; } //If the form has already been submitted then remove XML file elseif(isset($_POST['submit'])) { //Rename file unlink($file2remove, $file2remove.back); echo "<h1>You have removed $file2remove</h1>"; } ?>

Hi Ateu, It seems like these are the relevant parts of your question?: "the e-mail that the guest gets has 'server@townandcountryhotels.net' in the from field when it should have 'Town and Country Hotels'. In other words, it's displaying an e-mail address when I want it to display a name." $OUREMAIL = 'Town and Country Hotels <server@townandcountryhotels.net>'; $success = mail($EmailTo2, $Subject2, $Body2, "From: <$OUREMAIL>"); What happens if you change your OUREMAIL variable like this: $OUREMAIL = 'Town and Country Hotels';

Whaaaaaaaaaaahoooooooo!!! You nailed it. My code was generating an empty HTML input name="()": mls_id: <br /><input type="text" size="60" name="()" value="" />. Here is the suspect peice of code: foreach($xml->children() as $child) { echo $child->getName() . ": " . $child . "<br />"; echo "<input type=\"text\" size=\"60\" name=\"$child->getName()\" value=\"$child\" /><br />"; echo "<br /><br />"; } Notice the first call to $child->getName() works but my second call doesn't. To fix it, the first time I call $child->getName I then store it in the $xmltagname variable and then echo that variable. Here is the working version: foreach($xml->children() as $child) { $xmltagname = $child->getName(); echo $xmltagname . ": " . $child . "<br />"; echo "<input type=\"text\" size=\"60\" name=\"$xmltagname\" value=\"$child\" />"; echo "<br /><br /><br />"; } Thanks a lot Pikachu2000, you made my day!

As far as I can tell they are all named correctly. I am just using tags from xml file to name the input elements of the HTML form. Then I fill out the HTML form, click submit and populate the XML file with data. At least that is the way it is supposed to work. Here is the php form: http://realestatetechnologiesinternational.com/xml/AddNewProperty.php Here is my XML template: http://realestatetechnologiesinternational.com/properties/propertytemplate.xml

Thank you Pikachu2000, This is the result of print_r($_POST): Array ( [()] => [submit] => submit ) **It looks like $_POST is empty. And on the submit ... my bad, I DO have the name="submit" in there, I just screwed up pasting into the forum. <input type="submit" name="submit" value="Submit" /> I am still not sure whats up :-\