Jump to content

[SOLVED] getting mysql to accept a value from a text field in a form


Recommended Posts

here's a snippet of code, that I just can't get to work and still being a fledgling programmer can't figure out why not.....

 

I am using PHP version 5.2.6, mysql version is 5.0.51b, on a win xp pro platform. If antone can help I'd be extremely grateful. Thanks Anfo.

 

<form action="title_search.php" method="get">
<fieldset>
<p><strong>Title: </strong><input type="text" name="title" maxlength="60"/></p>
<input type="button" name="submit" value="Search" />
<input type="hidden" name="submitted" value="TRUE" />
</fieldset>
</form>

<?php
// Connect to the db.
require_once ('./includes/dbconn.php');

// Make the query.
$query = "SELECT title FROM `books` WHERE `title` LIKE $_GET['title']";

// Run the query.		
$result = @mysql_query ($query); 

// If query runs alright, display the records.
if ($result) 
{ 

// Table header.
echo '<table align="center" cellspacing="0" cellpadding="5">
<tr><td align="left"><b>Title</b></td></tr>';

// Fetch and print all the records.
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) 
	{
	echo '<tr><td align="left">' . $row['title'] . '</td></tr>';
	}

echo '</table>';
?>

 

(edited to add


tags)

No, the method can be "get" in the form, although using "post" makes it slightly more secure.

 

OP -- you don't say whether you're getting any errors..

 

Try changing:

<?php
query = "SELECT title FROM `books` WHERE `title` LIKE $_GET['title']";
?>

to

<?php
query = "SELECT title FROM `books` WHERE `title` LIKE '%" . mysql_real_escape_string(stripslashes($_GET['title'])) . "%'";
?>

 

Strings in MySQL need to be quoted and you should always use mysql_real_escape_string on strings that come from the user.

 

Ken

No, the method can be "get" in the form, although using "post" makes it slightly more secure.

 

[OT]

 

...with heavy emphasis on the "slightly."  With GET, all you have to do is change the value in the url.  With POST, all you have to do is view source, copy and paste the form into a new file, and alter the elements to your heart's desire. Load it up in your browser and hit the submit button.  There's even browser addons/mods that let you alter that stuff on-the-fly, so you can skip the view source and making your own file steps.

 

In other words, you should validate the data just the same, regardless of whether you use GET or POST.  Ken suggested using mysql_real_escape_string and stripslashes.  This is to make sure someone isn't trying to do a sql injection attack. But sql injection is possible, even when you escape quotes.  You should really be validating the data, not pacifying it.  How you validate it depends on what format you expect your data to be.

 

[/OT]

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.