anfo Posted January 8, 2009 Share Posted January 8, 2009 here's a snippet of code, that I just can't get to work and still being a fledgling programmer can't figure out why not..... I am using PHP version 5.2.6, mysql version is 5.0.51b, on a win xp pro platform. If antone can help I'd be extremely grateful. Thanks Anfo. <form action="title_search.php" method="get"> <fieldset> <p><strong>Title: </strong><input type="text" name="title" maxlength="60"/></p> <input type="button" name="submit" value="Search" /> <input type="hidden" name="submitted" value="TRUE" /> </fieldset> </form> <?php // Connect to the db. require_once ('./includes/dbconn.php'); // Make the query. $query = "SELECT title FROM `books` WHERE `title` LIKE $_GET['title']"; // Run the query. $result = @mysql_query ($query); // If query runs alright, display the records. if ($result) { // Table header. echo '<table align="center" cellspacing="0" cellpadding="5"> <tr><td align="left"><b>Title</b></td></tr>'; // Fetch and print all the records. while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) { echo '<tr><td align="left">' . $row['title'] . '</td></tr>'; } echo '</table>'; ?> (edited to add tags) Quote Link to comment Share on other sites More sharing options...
Maq Posted January 8, 2009 Share Posted January 8, 2009 Cause the method is supposed to use POST not GET. Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted January 8, 2009 Share Posted January 8, 2009 No, the method can be "get" in the form, although using "post" makes it slightly more secure. OP -- you don't say whether you're getting any errors.. Try changing: <?php query = "SELECT title FROM `books` WHERE `title` LIKE $_GET['title']"; ?> to <?php query = "SELECT title FROM `books` WHERE `title` LIKE '%" . mysql_real_escape_string(stripslashes($_GET['title'])) . "%'"; ?> Strings in MySQL need to be quoted and you should always use mysql_real_escape_string on strings that come from the user. Ken Quote Link to comment Share on other sites More sharing options...
anfo Posted January 8, 2009 Author Share Posted January 8, 2009 Thankyou for the help very much appreciated. Quote Link to comment Share on other sites More sharing options...
Maq Posted January 9, 2009 Share Posted January 9, 2009 Thankyou for the help very much appreciated. Does this mean that you have solved the issue? Quote Link to comment Share on other sites More sharing options...
.josh Posted January 9, 2009 Share Posted January 9, 2009 No, the method can be "get" in the form, although using "post" makes it slightly more secure. [OT] ...with heavy emphasis on the "slightly." With GET, all you have to do is change the value in the url. With POST, all you have to do is view source, copy and paste the form into a new file, and alter the elements to your heart's desire. Load it up in your browser and hit the submit button. There's even browser addons/mods that let you alter that stuff on-the-fly, so you can skip the view source and making your own file steps. In other words, you should validate the data just the same, regardless of whether you use GET or POST. Ken suggested using mysql_real_escape_string and stripslashes. This is to make sure someone isn't trying to do a sql injection attack. But sql injection is possible, even when you escape quotes. You should really be validating the data, not pacifying it. How you validate it depends on what format you expect your data to be. [/OT] Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.