[SOLVED] getting mysql to accept a value from a text field in a form

[anfo]

here's a snippet of code, that I just can't get to work and still being a fledgling programmer can't figure out why not.....

 

I am using PHP version 5.2.6, mysql version is 5.0.51b, on a win xp pro platform. If antone can help I'd be extremely grateful. Thanks Anfo.

 

<form action="title_search.php" method="get">
<fieldset>
<p><strong>Title: </strong><input type="text" name="title" maxlength="60"/></p>
<input type="button" name="submit" value="Search" />
<input type="hidden" name="submitted" value="TRUE" />
</fieldset>
</form>

<?php
// Connect to the db.
require_once ('./includes/dbconn.php');

// Make the query.
$query = "SELECT title FROM `books` WHERE `title` LIKE $_GET['title']";

// Run the query.		
$result = @mysql_query ($query); 

// If query runs alright, display the records.
if ($result) 
{ 

// Table header.
echo '<table align="center" cellspacing="0" cellpadding="5">
<tr><td align="left"><b>Title</b></td></tr>';

// Fetch and print all the records.
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) 
	{
	echo '<tr><td align="left">' . $row['title'] . '</td></tr>';
	}

echo '</table>';
?>

 

(edited to add

tags)

[Maq]

Cause the method is supposed to use POST not GET.

[kenrbnsn]

No, the method can be "get" in the form, although using "post" makes it slightly more secure.

 

OP -- you don't say whether you're getting any errors..

 

Try changing:

<?php
query = "SELECT title FROM `books` WHERE `title` LIKE $_GET['title']";
?>

to

<?php
query = "SELECT title FROM `books` WHERE `title` LIKE '%" . mysql_real_escape_string(stripslashes($_GET['title'])) . "%'";
?>

 

Strings in MySQL need to be quoted and you should always use mysql_real_escape_string on strings that come from the user.

 

Ken

[anfo]

Thankyou for the help very much appreciated.

[Maq]

Thankyou for the help very much appreciated.

 

Does this mean that you have solved the issue?

[.josh]

No, the method can be "get" in the form, although using "post" makes it slightly more secure.

 

[OT]

 

...with heavy emphasis on the "slightly."  With GET, all you have to do is change the value in the url.  With POST, all you have to do is view source, copy and paste the form into a new file, and alter the elements to your heart's desire. Load it up in your browser and hit the submit button.  There's even browser addons/mods that let you alter that stuff on-the-fly, so you can skip the view source and making your own file steps.

 

In other words, you should validate the data just the same, regardless of whether you use GET or POST.  Ken suggested using mysql_real_escape_string and stripslashes.  This is to make sure someone isn't trying to do a sql injection attack. But sql injection is possible, even when you escape quotes.  You should really be validating the data, not pacifying it.  How you validate it depends on what format you expect your data to be.

 

[/OT]