ridiculous Posted December 27, 2006 Share Posted December 27, 2006 Has anyone experienced a situation where their MySQL query returned the desired results in Mozilla but not in IE? Check this out:My query:[code]<?php$conn = db_connect();$result = mysql_query(" SELECT postid, date, title, city, state FROM jobs WHERE state='$state' ") or die (mysql_error());$numofrows = mysql_num_rows($result);echo $state;echo $numofrows;?>[/code]Now, this returns the result just fine in Mozilla. However, it gives my nothing in IE. Apparently, my variable "$state" isn't being picked up, because both test echos return nothing. Any suggestions? Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 I can get the variable $state to echo in IE, but I can't get the MySQL query to pick it up. What gives? Quote Link to comment Share on other sites More sharing options...
alpine Posted December 27, 2006 Share Posted December 27, 2006 PHP (and mysql queries) is all server side and is in no way treated differently due to different browsers. You have a html issue somewhere causing your problem, and it's not showing here. Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 From what I can tell, the variable isn't set for purposes of the MySQL query...but will echo within the same function. Any thoughts on this? Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 I have a form, from which I get the variable $state. It looks like this (pretty simple)...[code]<span class="full_size_window"><form method=post action="course_search_results_index.php" enctype="multipart/form-data"><table cellpadding="0" cellspacing="1"> <tr> <td id="state.td" class="row_style_white"> State: </td> <td><select name="state" onfocus="MM_changeProp('state.td','','style.backgroundColor','316AC5','td'); MM_changeProp('state.td','','style.color','ffffff','td')" onblur="MM_changeProp('state.td','','style.backgroundColor','ffffff','td'); MM_changeProp('state.td','','style.color','003399','td')" > <option value=" AL "> Alabama<option value=" AK "> Alaska<option value=" AZ "> Arizona<option value=" AR "> Arkansas<option value=" CA "> California<option value=" CO "> Colorado<option value=" CT "> Connecticut<option value=" DE "> Deleware<option value=" FL "> Florida<option value=" GA "> Georgia<option value=" HI "> Hawaii<option value=" ID "> Idaho<option value=" IL "> Illinois<option value=" IN "> Indiana<option value=" IA "> Iowa<option value=" KS "> Kansas<option value=" KY "> Kentucky<option value=" LA "> Louisiana<option value=" ME "> Maryland<option value=" MA "> Massachusetts<option value=" MI "> Michigan<option value=" MN "> Minnesota<option value=" MS "> Mississippi<option value=" MO "> Missouri<option value=" MT "> Montana<option value=" NE "> Nebraska<option value=" NV "> Nevada<option value=" NH "> New Hampshire<option value=" NJ "> New Jersey<option value=" NM "> New Mexico<option value=" NY "> New York<option value=" NC "> North Carolina<option value=" ND "> North Dakota<option value=" OH "> Ohio<option value=" OK "> Oklahoma<option value=" OR "> Oregon<option value=" PA "> Pennsylvania<option value=" RI "> Rhode Island<option value=" SC "> South Carolina<option value=" SD "> South Dakota<option value=" TN "> Tennessee<option value=" TX "> Texas<option value=" UT "> Utah<option value=" VT "> Vermont<option value=" VA "> Virginia<option value=" WA "> Washington<option value=" WV "> West Virginia<option value=" WI "> Wisconsin<option value=" WY "> Wyoming</select> </td></tr><input type="submit" name="state" value="Search Courses"></span> [/code] Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 As you can see, the form sends my variable to the script: course_search_results_index.php(BELOW)[code]<?include ('function_index.php');f_header();f_course_search ($state);?></code>That script activates the function f_course_search ($state), which works fine in Mozilla...but doesn't recognize the variable $state in the query when run in IE. <code>function f_course_search ($state){$conn = db_connect();echo $state;$result = mysql_query( 'SELECT postid, title, city, state FROM jobs WHERE (state = "MI")' ) or die (mysql_error());$numofrows = mysql_num_rows($result);echo $numofrows;echo '<span class="full_size_window">';echo '<table width="598 px" height= "300 px" align = "center" border="0" cellpadding="8" bgcolor="#2939D0" cellspacing="0" style="position:absolute, left:1px">';for($i = 0; $i < $numofrows; $i++) { $row = mysql_fetch_array($result); //get a row from our result set if($i % 2) { //this means if there is a remainder ?> <tr id="<?=$postid ?>z" class="row_style_white" onMouseOver="MM_changeProp('<?=$postid ?>z','','style.backgroundColor','BED0F7','tr'); MM_changeProp('<?=$postid ?>z','','style.color','ffffff','tr')" onMouseOut="MM_changeProp('<?=$postid ?>z','','style.backgroundColor','ffffff','tr'); MM_changeProp('<?=$postid ?>z','','style.color','003399','tr')"> <? } else { ?> <tr id="<?=$postid ?>z" class="row_style_grey" onMouseOver="MM_changeProp('<?=$postid ?>z','','style.backgroundColor','BED0F7','tr'); MM_changeProp('<?=$postid ?>z','','style.color','ffffff','tr')" onMouseOut="MM_changeProp('<?=$postid ?>z','','style.backgroundColor','e7e7e7','tr'); MM_changeProp('<?=$postid ?>z','','style.color','003399','tr')"> <? } extract($row); ?> <td style="width:100px; text-align:center; color:#2939ce"><?=$date?></td></tr>[/code] Quote Link to comment Share on other sites More sharing options...
alpine Posted December 27, 2006 Share Posted December 27, 2006 Please, use correct code tags around your code when posting [ ].Remove the enctype="multipart/form-data" from your form, see if it helps first*edit*AND do it like this instead, you are coding for register_globals=On (and it's a bad habbit)[code]<?phpinclude ('function_index.php');f_header();f_course_search ($_POST['state']);?>[/code]Still - it not injection safe, but that's another matter to fix when the first problem is solved.. Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 Thanks for spending time to help. I'm not sure what you mean by "injection safe", but I do know that erasing the form type didn't solve the issue. I guess what I'm looking to understand is how I can echo a variable onto my screen when that same variable is unrecognized in my MySQL query. Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 Unless by injection safe you mean that someone could fabricate variables by inserting them into the address bar. Quote Link to comment Share on other sites More sharing options...
bljepp69 Posted December 27, 2006 Share Posted December 27, 2006 In the form code submitted above...The 'select' and 'submit' form elements are both named 'state'. I'll bet the two browsers are treating this a bit differently and submitting different values. Change the name of your 'submit' element. Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 Good call on that, I actually caught it just a few minutes before you posted. It doesn't seem to make a difference, because apparently the variable is still carried to the function...but it not in a form recognizable by the SQL commands. [code]<span class="full_size_window"><form method=post action="course_search_results_index.php" name="ridick"><table cellpadding="0" cellspacing="1"> <tr> <td id="state.td" class="row_style_white"> State: </td> <td><select name="state" onfocus="MM_changeProp('state.td','','style.backgroundColor','316AC5','td'); MM_changeProp('state.td','','style.color','ffffff','td')" onblur="MM_changeProp('state.td','','style.backgroundColor','ffffff','td'); MM_changeProp('state.td','','style.color','003399','td')" > <option value=" AL "> Alabama<option value=" AK "> Alaska<option value=" AZ "> Arizona<option value=" AR "> Arkansas<option value=" CA "> California<option value=" CO "> Colorado<option value=" CT "> Connecticut<option value=" DE "> Deleware<option value=" FL "> Florida<option value=" GA "> Georgia<option value=" HI "> Hawaii<option value=" ID "> Idaho<option value=" IL "> Illinois<option value=" IN "> Indiana<option value=" IA "> Iowa<option value=" KS "> Kansas<option value=" KY "> Kentucky<option value=" LA "> Louisiana<option value=" ME "> Maryland<option value=" MA "> Massachusetts<option value=" MI "> Michigan<option value=" MN "> Minnesota<option value=" MS "> Mississippi<option value=" MO "> Missouri<option value=" MT "> Montana<option value=" NE "> Nebraska<option value=" NV "> Nevada<option value=" NH "> New Hampshire<option value=" NJ "> New Jersey<option value=" NM "> New Mexico<option value=" NY "> New York<option value=" NC "> North Carolina<option value=" ND "> North Dakota<option value=" OH "> Ohio<option value=" OK "> Oklahoma<option value=" OR "> Oregon<option value=" PA "> Pennsylvania<option value=" RI "> Rhode Island<option value=" SC "> South Carolina<option value=" SD "> South Dakota<option value=" TN "> Tennessee<option value=" TX "> Texas<option value=" UT "> Utah<option value=" VT "> Vermont<option value=" VA "> Virginia<option value=" WA "> Washington<option value=" WV "> West Virginia<option value=" WI "> Wisconsin<option value=" WY "> Wyoming</select> </td></tr>[color=pink]<input type="submit" name="Submit" value="Search Courses">[/color]</span> [/code] Quote Link to comment Share on other sites More sharing options...
alpine Posted December 27, 2006 Share Posted December 27, 2006 good spot bljepp69http://en.wikipedia.org/wiki/SQL_injection[code]<?php$var = "something";echo $var;mysql_query("SELECT * FROM table WHERE colname = '$var'");?>[/code]really does echo and runs in the query as long as it existsOn your target script, put this on the top and see what u get after submitting the form:[code]<?phpecho "<pre>";print_r($_POST);echo "</pre>";?>[/code] Quote Link to comment Share on other sites More sharing options...
bljepp69 Posted December 27, 2006 Share Posted December 27, 2006 you can add this debug code to the top of your page to see what you are actually carrying in the $_POST variables:[code]<?php echo "POSTS:<pre>".print_r($_POST,TRUE)."</pre>";?>[/code]I'm also thinking that the extra spaces you have in the 'option' elements for the values might be causing some problems. Maybe the different browsers handle those differently and then what you are comparing to the db doesn't work. Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 You guys are awesome. I'm doing this right now. Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 Alpine:Array( [state] => MI [button] => Search Courses) Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 bljepp69Taking the extra spaces out of the option elements was a very clever thought. Didn't work though. Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 Here is all the code I am working with, if anyone is interested. [color=red]MySQL Table[/color][code]-- phpMyAdmin SQL Dump-- version 2.9.0.3-- http://www.phpmyadmin.net-- -- Host: localhost-- Generation Time: Dec 27, 2006 at 04:10 AM-- Server version: 5.0.27-- PHP Version: 5.2.0-- -- -- ---------------------------------------------------------- -- Table structure for table `course_catalogue`-- CREATE TABLE `course_catalogue` ( `Course_Subject` varchar(30) NOT NULL, `Course_Name` varchar(40) default NULL, `Course_Id` varchar(20) NOT NULL, `Description` text, `Promo_Text` text NOT NULL, `Did_You_Know` varchar(255) NOT NULL default 'Study Stars has something for everyone. We''re serious about education-and we hope you''ll come shine with us. ', `Course_Pic` varchar(40) default NULL, `Instructor_Pic` varchar(75) NOT NULL default 'instructor_default.jpg', `Instructor_1` varchar(50) default NULL, `Instructor_2` varchar(50) default NULL, `Enrollment_Limit` char(2) default NULL, `Currently_Enrolled` char(2) default NULL, `Course_Fees` varchar(10) default NULL, `Lab_Fees` varchar(15) default NULL, `Begin_Date` varchar(9) default NULL, `Course_Duration` varchar(15) NOT NULL, `Days_Meets` varchar(15) NOT NULL, `End_Date` varchar(9) default NULL, `Course_Begin_Time` varchar(10) default NULL, `Session_Duration` varchar(15) default NULL, `Site` varchar(40) default NULL, `Room` varchar(25) default NULL, `Site_Code` varchar(20) default NULL, `Address` varchar(35) default NULL, `City` varchar(25) default NULL, `State` varchar(15) default NULL, `Zip` varchar(6) default NULL, PRIMARY KEY (`Course_Id`)) ENGINE=MyISAM DEFAULT CHARSET=latin1;-- -- Dumping data for table `course_catalogue`-- INSERT INTO `course_catalogue` (`Course_Subject`, `Course_Name`, `Course_Id`, `Description`, `Promo_Text`, `Did_You_Know`, `Course_Pic`, `Instructor_Pic`, `Instructor_1`, `Instructor_2`, `Enrollment_Limit`, `Currently_Enrolled`, `Course_Fees`, `Lab_Fees`, `Begin_Date`, `Course_Duration`, `Days_Meets`, `End_Date`, `Course_Begin_Time`, `Session_Duration`, `Site`, `Room`, `Site_Code`, `Address`, `City`, `State`, `Zip`) VALUES ('LSAT Preparation', 'Logical Reasoning Problem Sets', 'LSAT1bailey48823', 'Introduction to logical reasoning problem types associated with corresponding LSAT section. Emphasis on matching problem types with solution protocol, time-appropriate flow chart creation, and error checking. ', 'Classroom LSAT instruction at $15/hr.', 'The structure of the LSAT and the types of questions that will be asked on it are somewhat predictable.<p>Knowing this helps you to practice specifically on question types that show up frequently in exams.</p>', 'LSAT1bailey48823.jpg', 'instructor_default.jpg', 'Vogner Silva, Ph.D.', '', '25', NULL, '$50', NULL, '11/22/06', '2', 'Th S', '', '8:00PM', '120 mins', 'Bailey Community Center', 'Room 130', 'Bailey48823', '300 Bailey St.', 'East Lansing', 'MI', '48823'),('Vale Tudo', 'Basic Ground Fighting', 'VT100bailey48823', 'Course explores [20] of the most popular Vale Tudo techniques: Armbars, Chokeholds, Elbow Traps, Leglocks, Wrist Traps and corresponding escape strategies.\r\n\r\nEmphasis on correct application of techniques as applied to individuals of varying body types. ', 'Roll with the pros.', 'The term vale tudo comes from the name of a television show that aired in Brazil starting in the 1960s. <p> It means "anything goes" in Portuguese, and generally describes competitions in unarmed combat having minimal rules.</p>', 'VT100bailey48823.jpg', 'inst_VT100bailey48823.jpg', 'Kim Son Hu, Black Belt, Gracie Jiu-Jitsu', '', '15', NULL, '$75', NULL, '11/25/06', '2', 'T F', '', '6:00PM', '90 mins', 'Bailey Community Center', 'GYM', 'Bailey48823', '300 Bailey St.', 'East Lansing', 'MI', '48823'),('PHP, MySQL, & Apache', 'Intro to Dynamic Web Development', 'PHP100msulab48823', 'Focus on object-oriented programming as it relates to the language. Special emphasis on interplay with mobile applications. ', 'Get up to speed on the latest in web development.', 'PHP competes with Visual Basic and C++ as the third most popular programming language behind Java and C, based on world wide availability of practitioners, courses and vendors.', 'PHP100msulab48823.png', 'instructor_default.jpg', 'Eric Madsen', '', '50', NULL, '$50', NULL, '12/05/06', '4', 'Su W', '', '7:00PM', '90 mins', 'MSU Union Computer Lab', 'Basement', 'MSULab48823', '1 M.A.C. Ave', 'East Lansing', 'MI', '48823'),('Basic Ceramics', 'Introduction to Wheel Throwing & More', 'CER1bchs49017', 'Introduction to ceramics. Emphasis on wheel-thrown pottery, glaze selection, clay selection and appropriation. ', 'Make new friends AND new plateware.', 'Study Stars has something for everyone. We''re serious about educ', 'CER1bchs49017.jpg', 'inst_CER1bchs49017.jpg', 'Bernie Jordan', NULL, NULL, NULL, '$15/sessio', NULL, NULL, 'Ongoing', 'F', NULL, '9.00 PM', '90 minutes', 'Battle Creek High School', 'Room 212', 'bchs', '100 Van Buren St W', 'Battle Creek', 'MI', '49017');[/code][color=red]MY FORM[/color][code]<form method=post action="course_search_results_index.php" name="ridick"><table cellpadding="0" cellspacing="1"> <tr> <td id="state.td" class="row_style_white"> State: </td> <td><select name="state" onfocus="MM_changeProp('state.td','','style.backgroundColor','316AC5','td'); MM_changeProp('state.td','','style.color','ffffff','td')" onblur="MM_changeProp('state.td','','style.backgroundColor','ffffff','td'); MM_changeProp('state.td','','style.color','003399','td')" > <option value="AL"> Alabama<option value="AK"> Alaska<option value="AZ"> Arizona<option value="AR"> Arkansas<option value="CA"> California<option value="CO"> Colorado<option value="CT"> Connecticut<option value="DE"> Deleware<option value="FL"> Florida<option value="GA"> Georgia<option value="HI"> Hawaii<option value="ID"> Idaho<option value="IL"> Illinois<option value="IN"> Indiana<option value="IA"> Iowa<option value="KS"> Kansas<option value="KY"> Kentucky<option value="LA"> Louisiana<option value="ME"> Maryland<option value="MA"> Massachusetts<option value="MI"> Michigan<option value="MN"> Minnesota<option value="MS"> Mississippi<option value="MO"> Missouri<option value="MT"> Montana<option value="NE"> Nebraska<option value="NV"> Nevada<option value="NH"> New Hampshire<option value="NJ"> New Jersey<option value="NM"> New Mexico<option value="NY"> New York<option value="NC"> North Carolina<option value="ND"> North Dakota<option value="OH"> Ohio<option value="OK"> Oklahoma<option value="OR"> Oregon<option value="PA"> Pennsylvania<option value="RI"> Rhode Island<option value="SC"> South Carolina<option value="SD"> South Dakota<option value="TN"> Tennessee<option value="TX"> Texas<option value="UT"> Utah<option value="VT"> Vermont<option value="VA"> Virginia<option value="WA"> Washington<option value="WV"> West Virginia<option value="WI"> Wisconsin<option value="WY"> Wyoming</select> </td></tr><input type="submit" name="Submit" value="Search Courses">[/code][color=red]MY FORM'S TARGET[/color][code]<?echo "POSTS:<pre>".print_r($_POST,TRUE)."</pre>";$conn = db_connect();$result =mysql_query ("SELECT * FROM course_catalogue WHERE state='$state' ORDER BY RAND() LIMIT 5") or die (mysql_error()); $numofrows = mysql_num_rows($result);echo $state;echo $numofrows;echo '<span class="full_size_window">';echo '<table width="598 px" height= "300 px" align = "center" border="0" cellpadding="8" cellspacing="0" style="position:absolute, left:1px">';for($i = 0; $i < $numofrows; $i++) { $row = mysql_fetch_array($result); //get a row from our result set if($i % 2) { //this means if there is a remainder ?> <tr id="<?=$Course_Name ?>z" class="row_style_white" onMouseOver="MM_changeProp('<?=$Course_Name ?>z','','style.backgroundColor','BED0F7','tr'); MM_changeProp('<?=$Course_Name ?>z','','style.color','000000','tr')" onMouseOut="MM_changeProp('<?=$Course_Name ?>z','','style.backgroundColor','FFFFFF','tr'); MM_changeProp('<?=$Course_Name ?>z','','style.color','003399','tr')"> <? } else { ?> <tr id="<?=$Course_Name ?>z" class="row_style_grey" onMouseOver="MM_changeProp('<?=$Course_Name ?>z','','style.backgroundColor','BED0F7','tr'); MM_changeProp('<?=$Course_Name ?>z','','style.color','ffffff','tr')" onMouseOut="MM_changeProp('<?=$Course_Name ?>z','','style.backgroundColor','e7e7e7','tr'); MM_changeProp('<?=$Course_Name ?>z','','style.color','003399','tr')"> <? } extract($row); ?> <td style="width:100px; text-align:center; color:#2939ce"><?=$Course_Name?></td> <td style="width:180px; text-align:center; font-weight:bold; color:#2939ce"><?=$City?></td> <td style="width:100px; text-align:center; color:#2939ce;"><?=$State?></td> <td style="width:110px; text-align:center;"> <form> <input type=button value="More Info"onClick="self.location='job_summary_index.php?Course_Name=<?=$Course_Name?>&title=<?=$title?>&location=<?=$location?>'"></form> </td> <td style="width:110px; text-align:center;"> <form> <input type=button value="Sign Up"onClick="self.location='apply_index.php?Course_Name=<?=$Course_Name?>&title=<?=$title?>&location=<?=$location?>'"></form> </td></tr><? }echo "</TABLE></div></span>";///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////?>[/code] Quote Link to comment Share on other sites More sharing options...
ridiculous Posted December 27, 2006 Author Share Posted December 27, 2006 I ripped apart all my code and made it work. I don't know what was wrong, but I'm grateful that I received a heads up on SQL injection anyway. Thanks guys. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.