[SOLVED] [RESOLVED]--Variable can be echoed onto screen, SQL query in IE won't recanize

[ridiculous]

Has anyone experienced a situation where their MySQL query returned the desired results in Mozilla but not in IE? Check this out:

My query:




[code]
<?php
$conn = db_connect();

$result = mysql_query("
SELECT
postid,
date,
title,
city,
state
FROM
jobs
WHERE
state='$state'
")
or die (mysql_error());

$numofrows = mysql_num_rows($result);

echo $state;
echo $numofrows;
?>
[/code]


Now, this returns the result just fine in Mozilla. However, it gives my nothing in IE. Apparently, my variable "$state" isn't being picked up, because both test echos return nothing.


Any suggestions?

[ridiculous]

I can get the variable $state to echo in IE, but I can't get the MySQL query to pick it up. What gives?

[alpine]

PHP (and mysql queries) is all server side and is in no way treated differently due to different browsers.
You have a html issue somewhere causing your problem, and it's not showing here.

[ridiculous]

From what I can tell, the variable isn't set for purposes of the MySQL query...but will echo within the same function. Any thoughts on this?

[ridiculous]

I have a form, from which I get the variable $state. It looks like this (pretty simple)...


[code]

<span class="full_size_window">
<form method=post action="course_search_results_index.php" enctype="multipart/form-data">
<table cellpadding="0" cellspacing="1">

<tr>
    <td id="state.td" class="row_style_white">
State:
</td>
<td><select name="state" 
onfocus="MM_changeProp('state.td','','style.backgroundColor','316AC5','td');
MM_changeProp('state.td','','style.color','ffffff','td')"
onblur="MM_changeProp('state.td','','style.backgroundColor','ffffff','td');
MM_changeProp('state.td','','style.color','003399','td')" >
         
<option value=" AL "> Alabama
<option value=" AK "> Alaska
<option value=" AZ "> Arizona
<option value=" AR "> Arkansas
<option value=" CA "> California
<option value=" CO "> Colorado
<option value=" CT "> Connecticut
<option value=" DE "> Deleware
<option value=" FL "> Florida
<option value=" GA "> Georgia
<option value=" HI "> Hawaii
<option value=" ID "> Idaho
<option value=" IL "> Illinois
<option value=" IN "> Indiana
<option value=" IA "> Iowa
<option value=" KS "> Kansas
<option value=" KY "> Kentucky
<option value=" LA "> Louisiana
<option value=" ME "> Maryland
<option value=" MA "> Massachusetts
<option value=" MI "> Michigan
<option value=" MN "> Minnesota
<option value=" MS "> Mississippi
<option value=" MO "> Missouri
<option value=" MT "> Montana
<option value=" NE "> Nebraska
<option value=" NV "> Nevada
<option value=" NH "> New Hampshire
<option value=" NJ "> New Jersey
<option value=" NM "> New Mexico
<option value=" NY "> New York
<option value=" NC "> North Carolina
<option value=" ND "> North Dakota
<option value=" OH "> Ohio
<option value=" OK "> Oklahoma
<option value=" OR "> Oregon
<option value=" PA "> Pennsylvania
<option value=" RI "> Rhode Island
<option value=" SC "> South Carolina
<option value=" SD "> South Dakota
<option value=" TN "> Tennessee
<option value=" TX "> Texas
<option value=" UT "> Utah
<option value=" VT "> Vermont
<option value=" VA "> Virginia
<option value=" WA "> Washington
<option value=" WV "> West Virginia
<option value=" WI "> Wisconsin
<option value=" WY "> Wyoming
</select> </td>
</tr>


<input type="submit" name="state" value="Search Courses">
</span>   

[/code]

[ridiculous]

As you can see, the form sends my variable to the script: course_search_results_index.php

(BELOW)


[code]

<?
include ('function_index.php');

f_header();

f_course_search ($state);

?>

</code>


That script activates the function f_course_search ($state), which works fine in Mozilla...but doesn't recognize the variable $state in the query when run in IE.


<code>

function f_course_search ($state)

{

$conn = db_connect();

echo $state;

$result = mysql_query(
'SELECT
postid,
title,
city,
state
FROM
jobs
WHERE (state = "MI")'
)
or die (mysql_error());

$numofrows = mysql_num_rows($result);

echo $numofrows;

echo '<span class="full_size_window">';

echo '<table width="598 px" height= "300 px" align = "center" border="0" cellpadding="8"
bgcolor="#2939D0" cellspacing="0" style="position:absolute, left:1px">';


for($i = 0; $i < $numofrows; $i++) {
 
    $row = mysql_fetch_array($result); //get a row from our result set
 
if($i % 2) { //this means if there is a remainder


?>
<tr id="<?=$postid ?>z" class="row_style_white"

onMouseOver="MM_changeProp('<?=$postid ?>z','','style.backgroundColor','BED0F7','tr');
MM_changeProp('<?=$postid ?>z','','style.color','ffffff','tr')"
onMouseOut="MM_changeProp('<?=$postid ?>z','','style.backgroundColor','ffffff','tr');
MM_changeProp('<?=$postid ?>z','','style.color','003399','tr')">

<?
   
} else {
?>
<tr id="<?=$postid ?>z" class="row_style_grey"

onMouseOver="MM_changeProp('<?=$postid ?>z','','style.backgroundColor','BED0F7','tr');
MM_changeProp('<?=$postid ?>z','','style.color','ffffff','tr')"
onMouseOut="MM_changeProp('<?=$postid ?>z','','style.backgroundColor','e7e7e7','tr');
MM_changeProp('<?=$postid ?>z','','style.color','003399','tr')">
    <?
}
   
extract($row);
   
?>

<td style="width:100px; text-align:center; color:#2939ce"><?=$date?></td></tr>

[/code]

[alpine]

Please, use correct code tags around your code when posting [ ].

Remove the enctype="multipart/form-data" from your form, see if it helps first

*edit*
AND do it like this instead, you are coding for register_globals=On (and it's a bad habbit)
[code]

<?php
include ('function_index.php');

f_header();

f_course_search ($_POST['state']);

?>

[/code]

Still - it not injection safe, but that's another matter to fix when the first problem is solved..

[ridiculous]

Thanks for spending time to help. I'm not sure what you mean by "injection safe", but I do know that erasing the form type didn't solve the issue.

I guess what I'm looking to understand is how I can echo a variable onto my screen when that same variable is unrecognized in my MySQL query.

[ridiculous]

Unless by injection safe you mean that someone could fabricate variables by inserting them into the address bar.

[bljepp69]

In the form code submitted above...

The 'select' and 'submit' form elements are both named 'state'.  I'll bet the two browsers are treating this a bit differently and submitting different values.  Change the name of your 'submit' element.

[ridiculous]

Good call on that, I actually caught it just a few minutes before you posted. It doesn't seem to make a difference, because apparently the variable is still carried to the function...but it not in a form recognizable by the SQL commands.

[code]

<span class="full_size_window">
<form method=post action="course_search_results_index.php" name="ridick">


<table cellpadding="0" cellspacing="1">

<tr>
    <td id="state.td" class="row_style_white">
State:
</td>
<td><select name="state" 
onfocus="MM_changeProp('state.td','','style.backgroundColor','316AC5','td');
MM_changeProp('state.td','','style.color','ffffff','td')"
onblur="MM_changeProp('state.td','','style.backgroundColor','ffffff','td');
MM_changeProp('state.td','','style.color','003399','td')" >
         
<option value=" AL "> Alabama
<option value=" AK "> Alaska
<option value=" AZ "> Arizona
<option value=" AR "> Arkansas
<option value=" CA "> California
<option value=" CO "> Colorado
<option value=" CT "> Connecticut
<option value=" DE "> Deleware
<option value=" FL "> Florida
<option value=" GA "> Georgia
<option value=" HI "> Hawaii
<option value=" ID "> Idaho
<option value=" IL "> Illinois
<option value=" IN "> Indiana
<option value=" IA "> Iowa
<option value=" KS "> Kansas
<option value=" KY "> Kentucky
<option value=" LA "> Louisiana
<option value=" ME "> Maryland
<option value=" MA "> Massachusetts
<option value=" MI "> Michigan
<option value=" MN "> Minnesota
<option value=" MS "> Mississippi
<option value=" MO "> Missouri
<option value=" MT "> Montana
<option value=" NE "> Nebraska
<option value=" NV "> Nevada
<option value=" NH "> New Hampshire
<option value=" NJ "> New Jersey
<option value=" NM "> New Mexico
<option value=" NY "> New York
<option value=" NC "> North Carolina
<option value=" ND "> North Dakota
<option value=" OH "> Ohio
<option value=" OK "> Oklahoma
<option value=" OR "> Oregon
<option value=" PA "> Pennsylvania
<option value=" RI "> Rhode Island
<option value=" SC "> South Carolina
<option value=" SD "> South Dakota
<option value=" TN "> Tennessee
<option value=" TX "> Texas
<option value=" UT "> Utah
<option value=" VT "> Vermont
<option value=" VA "> Virginia
<option value=" WA "> Washington
<option value=" WV "> West Virginia
<option value=" WI "> Wisconsin
<option value=" WY "> Wyoming
</select> </td>
</tr>


[color=pink]<input type="submit" name="Submit" value="Search Courses">[/color]
</span>   

[/code]

[alpine]

good spot bljepp69

http://en.wikipedia.org/wiki/SQL_injection

[code]
<?php

$var = "something";

echo $var;

mysql_query("SELECT * FROM table WHERE colname = '$var'");

?>
[/code]

really does echo and runs in the query as long as it exists


On your target script, put this on the top and see what u get after submitting the form:
[code]
<?php

echo "<pre>";
print_r($_POST);
echo "</pre>";

?>
[/code]

[bljepp69]

you can add this debug code to the top of your page to see what you are actually carrying in the $_POST variables:

[code]
<?php
  echo "POSTS:<pre>".print_r($_POST,TRUE)."</pre>";
?>
[/code]

I'm also thinking that the extra spaces you have in the 'option' elements for the values might be causing some problems.  Maybe the different browsers handle those differently and then what you are comparing to the db doesn't work.

[ridiculous]

You guys are awesome. I'm doing this right now.

[ridiculous]

Alpine:


Array
(
    [state] => MI
    [button] => Search Courses
)

[ridiculous]

bljepp69

Taking the extra spaces out of the option elements was a very clever thought. Didn't work though.

[ridiculous]

Here is all the code I am working with, if anyone is interested.


[color=red]MySQL Table[/color]
[code]
-- phpMyAdmin SQL Dump
-- version 2.9.0.3
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Dec 27, 2006 at 04:10 AM
-- Server version: 5.0.27
-- PHP Version: 5.2.0
--
--

-- --------------------------------------------------------

--
-- Table structure for table `course_catalogue`
--

CREATE TABLE `course_catalogue` (
  `Course_Subject` varchar(30) NOT NULL,
  `Course_Name` varchar(40) default NULL,
  `Course_Id` varchar(20) NOT NULL,
  `Description` text,
  `Promo_Text` text NOT NULL,
  `Did_You_Know` varchar(255) NOT NULL default 'Study Stars has something for everyone. We''re serious about education-and we hope you''ll come shine with us. ',
  `Course_Pic` varchar(40) default NULL,
  `Instructor_Pic` varchar(75) NOT NULL default 'instructor_default.jpg',
  `Instructor_1` varchar(50) default NULL,
  `Instructor_2` varchar(50) default NULL,
  `Enrollment_Limit` char(2) default NULL,
  `Currently_Enrolled` char(2) default NULL,
  `Course_Fees` varchar(10) default NULL,
  `Lab_Fees` varchar(15) default NULL,
  `Begin_Date` varchar(9) default NULL,
  `Course_Duration` varchar(15) NOT NULL,
  `Days_Meets` varchar(15) NOT NULL,
  `End_Date` varchar(9) default NULL,
  `Course_Begin_Time` varchar(10) default NULL,
  `Session_Duration` varchar(15) default NULL,
  `Site` varchar(40) default NULL,
  `Room` varchar(25) default NULL,
  `Site_Code` varchar(20) default NULL,
  `Address` varchar(35) default NULL,
  `City` varchar(25) default NULL,
  `State` varchar(15) default NULL,
  `Zip` varchar(6) default NULL,
  PRIMARY KEY  (`Course_Id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

--
-- Dumping data for table `course_catalogue`
--

INSERT INTO `course_catalogue` (`Course_Subject`, `Course_Name`, `Course_Id`, `Description`, `Promo_Text`, `Did_You_Know`, `Course_Pic`, `Instructor_Pic`, `Instructor_1`, `Instructor_2`, `Enrollment_Limit`, `Currently_Enrolled`, `Course_Fees`, `Lab_Fees`, `Begin_Date`, `Course_Duration`, `Days_Meets`, `End_Date`, `Course_Begin_Time`, `Session_Duration`, `Site`, `Room`, `Site_Code`, `Address`, `City`, `State`, `Zip`) VALUES
('LSAT Preparation', 'Logical Reasoning Problem Sets', 'LSAT1bailey48823', 'Introduction to logical reasoning problem types associated with corresponding LSAT section. Emphasis on matching problem types with solution protocol, time-appropriate flow chart creation, and error checking. ', 'Classroom LSAT instruction at $15/hr.', 'The structure of the LSAT and the types of questions that will be asked on it are somewhat predictable.<p>Knowing this helps you to practice specifically on question types that show up frequently in exams.</p>', 'LSAT1bailey48823.jpg', 'instructor_default.jpg', 'Vogner Silva, Ph.D.', '', '25', NULL, '$50', NULL, '11/22/06', '2', 'Th S', '', '8:00PM', '120 mins', 'Bailey Community Center', 'Room 130', 'Bailey48823', '300 Bailey St.', 'East Lansing', 'MI', '48823'),
('Vale Tudo', 'Basic Ground Fighting', 'VT100bailey48823', 'Course explores [20] of the most popular Vale Tudo techniques: Armbars, Chokeholds, Elbow Traps, Leglocks, Wrist Traps and corresponding escape strategies.\r\n\r\nEmphasis on correct application of techniques as applied to individuals of varying body types. ', 'Roll with the pros.', 'The term vale tudo comes from the name of a television show that aired in Brazil starting in the 1960s. <p> It means "anything goes" in Portuguese, and generally describes competitions in unarmed combat having minimal rules.</p>', 'VT100bailey48823.jpg', 'inst_VT100bailey48823.jpg', 'Kim Son Hu, Black Belt, Gracie Jiu-Jitsu', '', '15', NULL, '$75', NULL, '11/25/06', '2', 'T F', '', '6:00PM', '90 mins', 'Bailey Community Center', 'GYM', 'Bailey48823', '300 Bailey St.', 'East Lansing', 'MI', '48823'),
('PHP, MySQL, & Apache', 'Intro to Dynamic Web Development', 'PHP100msulab48823', 'Focus on object-oriented programming as it relates to the language. Special emphasis on interplay with mobile applications. ', 'Get up to speed on the latest in web development.', 'PHP competes with Visual Basic and C++ as the third most popular programming language behind Java and C, based on world wide availability of practitioners, courses and vendors.', 'PHP100msulab48823.png', 'instructor_default.jpg', 'Eric Madsen', '', '50', NULL, '$50', NULL, '12/05/06', '4', 'Su W', '', '7:00PM', '90 mins', 'MSU Union Computer Lab', 'Basement', 'MSULab48823', '1 M.A.C. Ave', 'East Lansing', 'MI', '48823'),
('Basic Ceramics', 'Introduction to Wheel Throwing & More', 'CER1bchs49017', 'Introduction to ceramics. Emphasis on wheel-thrown pottery, glaze selection, clay selection and appropriation. ', 'Make new friends AND new plateware.', 'Study Stars has something for everyone. We''re serious about educ', 'CER1bchs49017.jpg', 'inst_CER1bchs49017.jpg', 'Bernie Jordan', NULL, NULL, NULL, '$15/sessio', NULL, NULL, 'Ongoing', 'F', NULL, '9.00 PM', '90 minutes', 'Battle Creek High School', 'Room 212', 'bchs', '100 Van Buren St W', 'Battle Creek', 'MI', '49017');
[/code]



[color=red]MY FORM[/color]

[code]
<form method=post action="course_search_results_index.php" name="ridick">


<table cellpadding="0" cellspacing="1">

<tr>
    <td id="state.td" class="row_style_white">
State:
</td>
<td><select name="state" 
onfocus="MM_changeProp('state.td','','style.backgroundColor','316AC5','td');
MM_changeProp('state.td','','style.color','ffffff','td')"
onblur="MM_changeProp('state.td','','style.backgroundColor','ffffff','td');
MM_changeProp('state.td','','style.color','003399','td')" >
         
<option value="AL"> Alabama
<option value="AK"> Alaska
<option value="AZ"> Arizona
<option value="AR"> Arkansas
<option value="CA"> California
<option value="CO"> Colorado
<option value="CT"> Connecticut
<option value="DE"> Deleware
<option value="FL"> Florida
<option value="GA"> Georgia
<option value="HI"> Hawaii
<option value="ID"> Idaho
<option value="IL"> Illinois
<option value="IN"> Indiana
<option value="IA"> Iowa
<option value="KS"> Kansas
<option value="KY"> Kentucky
<option value="LA"> Louisiana
<option value="ME"> Maryland
<option value="MA"> Massachusetts
<option value="MI"> Michigan
<option value="MN"> Minnesota
<option value="MS"> Mississippi
<option value="MO"> Missouri
<option value="MT"> Montana
<option value="NE"> Nebraska
<option value="NV"> Nevada
<option value="NH"> New Hampshire
<option value="NJ"> New Jersey
<option value="NM"> New Mexico
<option value="NY"> New York
<option value="NC"> North Carolina
<option value="ND"> North Dakota
<option value="OH"> Ohio
<option value="OK"> Oklahoma
<option value="OR"> Oregon
<option value="PA"> Pennsylvania
<option value="RI"> Rhode Island
<option value="SC"> South Carolina
<option value="SD"> South Dakota
<option value="TN"> Tennessee
<option value="TX"> Texas
<option value="UT"> Utah
<option value="VT"> Vermont
<option value="VA"> Virginia
<option value="WA"> Washington
<option value="WV"> West Virginia
<option value="WI"> Wisconsin
<option value="WY"> Wyoming
</select> </td>
</tr>


<input type="submit" name="Submit" value="Search Courses">

[/code]

[color=red]
MY FORM'S TARGET[/color]

[code]
<?

echo "POSTS:<pre>".print_r($_POST,TRUE)."</pre>";


$conn = db_connect();

$result =mysql_query ("SELECT
*
FROM
course_catalogue
WHERE
state='$state'
ORDER BY RAND() LIMIT 5")
or die (mysql_error());


$numofrows = mysql_num_rows($result);

echo $state;
echo $numofrows;

echo '<span class="full_size_window">';

echo '<table width="598 px" height= "300 px" align = "center" border="0" cellpadding="8"
cellspacing="0" style="position:absolute, left:1px">';


for($i = 0; $i < $numofrows; $i++) {
 
    $row = mysql_fetch_array($result); //get a row from our result set
 
if($i % 2) { //this means if there is a remainder


?>
<tr id="<?=$Course_Name ?>z" class="row_style_white"

onMouseOver="MM_changeProp('<?=$Course_Name ?>z','','style.backgroundColor','BED0F7','tr');
MM_changeProp('<?=$Course_Name ?>z','','style.color','000000','tr')"
onMouseOut="MM_changeProp('<?=$Course_Name ?>z','','style.backgroundColor','FFFFFF','tr');
MM_changeProp('<?=$Course_Name ?>z','','style.color','003399','tr')">

<?
   
} else {
?>
<tr id="<?=$Course_Name ?>z" class="row_style_grey"

onMouseOver="MM_changeProp('<?=$Course_Name ?>z','','style.backgroundColor','BED0F7','tr');
MM_changeProp('<?=$Course_Name ?>z','','style.color','ffffff','tr')"
onMouseOut="MM_changeProp('<?=$Course_Name ?>z','','style.backgroundColor','e7e7e7','tr');
MM_changeProp('<?=$Course_Name ?>z','','style.color','003399','tr')">
    <?
}
   
extract($row); 
   
?>

<td style="width:100px; text-align:center; color:#2939ce"><?=$Course_Name?></td>
<td style="width:180px; text-align:center; font-weight:bold; color:#2939ce"><?=$City?></td>
<td style="width:100px; text-align:center; color:#2939ce;"><?=$State?></td>

  <td style="width:110px; text-align:center;">
<form>
<input type=button
value="More Info"
onClick="self.location='job_summary_index.php?Course_Name=<?=$Course_Name?>&amp;title=<?=$title?>&amp;location=<?=$location?>'">
</form>
</td>

<td style="width:110px; text-align:center;">
<form>
<input type=button
value="Sign Up"
onClick="self.location='apply_index.php?Course_Name=<?=$Course_Name?>&amp;title=<?=$title?>&amp;location=<?=$location?>'">
</form>
</td></tr>
<?


}



echo "</TABLE></div></span>";


/////////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////////////

?>

[/code]

[ridiculous]

I ripped apart all my code and made it work. I don't know what was wrong, but I'm grateful that I received a heads up on SQL injection anyway.

Thanks guys.