nubble Posted March 15, 2007 Share Posted March 15, 2007 Hey folks - I'm trying to filter a set of records by a variable that gets passed (either "sex" or "price") - e.g. filter.php?sex=female - by using the $_GET function. What I have now is not working (at all) - I get a blank page, no error codes, nothing. Can't figure out what the heck is going wrong. Would love any help! -Amy <?php $query = "SELECT `snakeID`, `locality`, `sex`, `price`, `status`, `birthyear` FROM `general` WHERE `status` LIKE 'available' and `price`=".$_GET['price']." and `sex`=."$_GET['sex'].""; $result=mysql_query($query); $num=mysql_num_rows($result); $j = 0; echo "<tr>"; while($row = mysql_fetch_assoc($result)){ $j++; echo '<td width="25%"><table width="100%" cellpadding="0" cellspacing="10" class="crittergrid"><tr><td width="85" valign="top" ><a href="'; echo $row['snakeID']; echo '.php"><img src="/images/chondros/'; echo $row['snakeID']; echo '_tn.jpg" alt="Green Tree Python for Sale" width="85" height="85" border="0"></a><br><br><b>ID:</b> '; echo $row['snakeID']; echo '<br><b>Sex: </b>'; echo $row['sex']; echo '<br><b>Type: </b>'; echo $row['locality']; echo '<br><b>Price</b>: $'; echo $row['price']; echo '<br><b>Sex:</b> '; echo $row['sex']. '<br />'; echo '<br><br><a href="'; echo $row['snakeID']; echo '"><img src="/images/learn_more.jpg" width="85" height="20" border="0"></a></td></tr></table></td>'; if ($j == 4) { $j = 0; echo "</tr><tr>"; } } ?> Quote Link to comment Share on other sites More sharing options...
Orio Posted March 15, 2007 Share Posted March 15, 2007 Try this: <?php $query = "SELECT `snakeID`, `locality`, `sex`, `price`, `status`, `birthyear` FROM `general` WHERE `status` LIKE 'available'"; if(isset($_GET['price'])) $query .= " AND price='".$_GET['price']."'"; if(isset($_GET['sex'])) $query .= " AND sex='".$_GET['sex']."'"; $result=mysql_query($query); $num=mysql_num_rows($result); $j = 0; echo "<tr>"; while($row = mysql_fetch_assoc($result)){ $j++; echo '<td width="25%"><table width="100%" cellpadding="0" cellspacing="10" class="crittergrid"><tr><td width="85" valign="top" ><a href="'; echo $row['snakeID']; echo '.php"><img src="/images/chondros/'; echo $row['snakeID']; echo '_tn.jpg" alt="Green Tree Python for Sale" width="85" height="85" border="0"></a><br><br><b>ID:</b> '; echo $row['snakeID']; echo '<br><b>Sex: </b>'; echo $row['sex']; echo '<br><b>Type: </b>'; echo $row['locality']; echo '<br><b>Price</b>: $'; echo $row['price']; echo '<br><b>Sex:</b> '; echo $row['sex']. '<br />'; echo '<br><br><a href="'; echo $row['snakeID']; echo '"><img src="/images/learn_more.jpg" width="85" height="20" border="0"></a></td></tr></table></td>'; if ($j == 4) { $j = 0; echo "</tr><tr>"; } } ?> Orio. Quote Link to comment Share on other sites More sharing options...
per1os Posted March 15, 2007 Share Posted March 15, 2007 First rule of $_GET and $_POST you do NOT put them straight into a query, SECOND rule of $_GET and $_POST YOU DO NOT PUT THEM STRAIGHT INTO A QUERY! First you should mysql_real_escape_string($_GET['varname']); TO PREVENT some kiddie from deleting data via sql injection. As for the actual problem I do not really see anything wrong, but yea obey the first 2 rules! Quote Link to comment Share on other sites More sharing options...
monk.e.boy Posted March 15, 2007 Share Posted March 15, 2007 http://www.webmaster-talk.com/php-forum/58129-sql-injection-problem-php-mysql-websites.html monk.e.boy Quote Link to comment Share on other sites More sharing options...
nubble Posted March 15, 2007 Author Share Posted March 15, 2007 Thanks for all the help everyone. Here's the code I ended up with. Seems to be working (yay!!!!)... but of course there is some new friggin issue This works: http://sprucenubblefarm.com/chondros/filter.php This works: http://sprucenubblefarm.com/chondros/filter.php?price=750 This works: http://sprucenubblefarm.com/chondros/filter.php?price=750&sex=Male This Doesn't: http://sprucenubblefarm.com/chondros/filter.php?sex=Female What the heck? <?php $query = "SELECT `snakeID`, `locality`, `sex`, `price`, `status`, `birthyear` FROM `general` WHERE `status` LIKE 'available'"; if(isset($_GET['price'])) $query .= " AND price='".$_GET['price']."'"; mysql_real_escape_string($_GET['price']); if(isset($_GET['sex'])) $query .= " AND sex='".$_GET['sex']."'"; mysql_real_escape_string($_GET['sex']); $result=mysql_query($query); $num=mysql_num_rows($result); $j = 0; echo "<tr>"; while($row = mysql_fetch_assoc($result)){ $j++; echo '<td width="25%"><table width="100%" cellpadding="0" cellspacing="10" class="crittergrid"><tr><td width="85" valign="top" ><a href="'; echo $row['snakeID']; echo '.php"><img src="/images/chondros/'; echo $row['snakeID']; echo '_tn.jpg" alt="Green Tree Python for Sale" width="85" height="85" border="0"></a><br><br><b>ID:</b> '; echo $row['snakeID']; echo '<br><b>Sex: </b>'; echo $row['sex']; echo '<br><b>Type: </b>'; echo $row['locality']; echo '<br><b>Price</b>: $'; echo $row['price']; echo '<br><b>Sex:</b> '; echo $row['sex']. '<br />'; echo '<br><br><a href="'; echo $row['snakeID']; echo '"><img src="/images/learn_more.jpg" width="85" height="20" border="0"></a></td></tr></table></td>'; if ($j == 4) { $j = 0; echo "</tr><tr>"; } } ?> Quote Link to comment Share on other sites More sharing options...
per1os Posted March 15, 2007 Share Posted March 15, 2007 an fyi this: if(isset($_GET['sex'])) $query .= " AND sex='".$_GET['sex']."'"; mysql_real_escape_string($_GET['sex']); SHOULD BE // note with ifs that have multiple lines need to have curly braces. if(isset($_GET['sex'])) { $query .= " AND sex='".$_GET['sex']."'"; // note the variable must be reset. $_GET['sex'] = mysql_real_escape_string($_GET['sex']); } Quote Link to comment Share on other sites More sharing options...
Orio Posted March 15, 2007 Share Posted March 15, 2007 Your script does work... But you have the wrong order... Do it this way: <?php $query = "SELECT `snakeID`, `locality`, `sex`, `price`, `status`, `birthyear` FROM `general` WHERE `status` LIKE 'available'"; if(isset($_GET['price'])) { $price = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslashes($_GET['price'])) : mysql_real_escape_string($_GET['price']); $query .= " AND price='".$price."'"; if(isset($_GET['sex'])) { $sex = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslashes($_GET['sex'])) : mysql_real_escape_string($_GET['sex']); $query .= " AND sex='".$sex."'"; } $result=mysql_query($query); $num=mysql_num_rows($result); $j = 0; echo "<tr>"; while($row = mysql_fetch_assoc($result)){ $j++; echo '<td width="25%"><table width="100%" cellpadding="0" cellspacing="10" class="crittergrid"><tr><td width="85" valign="top" ><a href="'; echo $row['snakeID']; echo '.php"><img src="/images/chondros/'; echo $row['snakeID']; echo '_tn.jpg" alt="Green Tree Python for Sale" width="85" height="85" border="0"></a><br><br><b>ID:</b> '; echo $row['snakeID']; echo '<br><b>Sex: </b>'; echo $row['sex']; echo '<br><b>Type: </b>'; echo $row['locality']; echo '<br><b>Price</b>: $'; echo $row['price']; echo '<br><b>Sex:</b> '; echo $row['sex']. '<br />'; echo '<br><br><a href="'; echo $row['snakeID']; echo '"><img src="/images/learn_more.jpg" width="85" height="20" border="0"></a></td></tr></table></td>'; if ($j == 4) { $j = 0; echo "</tr><tr>"; } } ?> Orio. Quote Link to comment Share on other sites More sharing options...
per1os Posted March 15, 2007 Share Posted March 15, 2007 Uh oh Orio got fancy with the get_magic_quotes =) That is truly the right way to go, but I would create a function if you are going to use it extenisvly, IE: function fixInput($string) that returns the string escaped etc. =) Nj for showing that orio. Quote Link to comment Share on other sites More sharing options...
nubble Posted March 15, 2007 Author Share Posted March 15, 2007 TKS for the FYI & all the help - updated the script as suggested and it does work. I can't get ?sex=Female to work tho... Thought I'd try something out - http://sprucenubblefarm.com/chondros/filter.php?sex=Unknown and that seems to work fine... ugh. Anyone know if there is a known issue with "male" being part of the word "female" or something?? Also, I want you all to know how much you friggin rule - I'm wicked impressed One day this young Padawan hopes to learn the many Jedi PHP tricks she has seen on this board. <?php $query = "SELECT `snakeID`, `locality`, `sex`, `price`, `status`, `birthyear` FROM `general` WHERE `status` LIKE 'available'"; if(isset($_GET['price'])) { $price = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslashes($_GET['price'])) : mysql_real_escape_string($_GET['price']); $query .= " AND price='".$price."'"; } if(isset($_GET['sex'])) { $sex = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslashes($_GET['sex'])) : mysql_real_escape_string($_GET['sex']); $query .= " AND sex='".$sex."'"; } $result=mysql_query($query); $num=mysql_num_rows($result); $j = 0; echo "<tr>"; while($row = mysql_fetch_assoc($result)){ $j++; echo '<td width="25%"><table width="100%" cellpadding="0" cellspacing="10" class="crittergrid"><tr><td width="85" valign="top" ><a href="'; echo $row['snakeID']; echo '.php"><img src="/images/chondros/'; echo $row['snakeID']; echo '_tn.jpg" alt="Green Tree Python for Sale" width="85" height="85" border="0"></a><br><br><b>ID:</b> '; echo $row['snakeID']; echo '<br><b>Sex: </b>'; echo $row['sex']; echo '<br><b>Type: </b>'; echo $row['locality']; echo '<br><b>Price</b>: $'; echo $row['price']; echo '<br><b>Sex:</b> '; echo $row['sex']. '<br />'; echo '<br><br><a href="'; echo $row['snakeID']; echo '"><img src="/images/learn_more.jpg" width="85" height="20" border="0"></a></td></tr></table></td>'; if ($j == 4) { $j = 0; echo "</tr><tr>"; } } ?> Quote Link to comment Share on other sites More sharing options...
per1os Posted March 15, 2007 Share Posted March 15, 2007 I would conver the data in SQL to lower cause using LOWER(colname) and than strtolower your $_GET['varname'] data to avoid any discrepencies. Quote Link to comment Share on other sites More sharing options...
nubble Posted March 15, 2007 Author Share Posted March 15, 2007 Cool - thanks frost for the 411. So now I can sort by female (yay!!) - but the actual data from the "sex" field won't print. I feel like I'm in the deep end of the pool here... ??? http://sprucenubblefarm.com/chondros/filter.php?sex=female <?php $query = "SELECT `snakeID`, `locality`, LOWER(`sex`), `price`, `status`, `birthyear` FROM `general` WHERE `status` LIKE 'available'"; if(isset($_GET['price'])) { $price = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslashes($_GET['price'])) : mysql_real_escape_string($_GET['price']); $query .= " AND price='".$price."'"; } if(isset($_GET['sex'])) { $sex = (get_magic_quotes_gpc()) ? mysql_real_escape_string(stripslashes($_GET['sex'])) : mysql_real_escape_string($_GET['sex']); $sex = strtolower($sex); $query .= " AND sex='".$sex."'"; } $result=mysql_query($query); $num=mysql_num_rows($result); $j = 0; echo "<tr>"; while($row = mysql_fetch_assoc($result)){ $j++; echo '<td width="25%"><table width="100%" cellpadding="0" cellspacing="10" class="crittergrid"><tr><td width="85" valign="top" ><a href="'; echo $row['snakeID']; echo '.php"><img src="/images/chondros/'; echo $row['snakeID']; echo '_tn.jpg" alt="Green Tree Python for Sale" width="85" height="85" border="0"></a><br><br><b>ID:</b> '; echo $row['snakeID']; echo '<br><b>Sex: </b>'; echo $row['sex']; echo '<br><b>Type: </b>'; echo $row['locality']; echo '<br><b>Price</b>: $'; echo $row['price']; echo '<br><br><a href="'; echo $row['snakeID']; echo '"><img src="/images/learn_more.jpg" width="85" height="20" border="0"></a></td></tr></table></td>'; if ($j == 4) { $j = 0; echo "</tr><tr>"; } } ?> Quote Link to comment Share on other sites More sharing options...
per1os Posted March 15, 2007 Share Posted March 15, 2007 You want to lower in the WHERE clause not the SELECT clause of the SQL statement. Change that and see what happens. Quote Link to comment Share on other sites More sharing options...
nubble Posted March 15, 2007 Author Share Posted March 15, 2007 Friggin SAWEEET - Thank you so much. I learned a ton doing this (friggin) page -Amy Quote Link to comment Share on other sites More sharing options...
per1os Posted March 15, 2007 Share Posted March 15, 2007 Glad to be of service. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.