homepage Welcome to WebmasterWorld Guest from 54.166.84.82
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Databases
Forum Library, Charter, Moderator: open

Databases Forum

    
can any1 see anything wrong with this MySQL search.php?
search.php
KG2RG

10+ Year Member



 
Msg#: 349 posted 12:50 pm on Mar 2, 2006 (gmt 0)

Hi,
I can not getthis search.php to work. I do not know much about MySQL or PHP. I have a MySQL database working and can search from a shell promp using putty.

I have this script from someone who was running the same MySQL database and content. I uploaded the search.php to my server, and I get a blank page in my browser. I also added a search.html with just the search form like this:

<form name="callsignsearch" action="search.php" method="POST">
Callsign Search: <input type="text" name="call" size=8 maxsize=8/>
Zipcode Search: <input type="text" name="zip" size=5 maxsize=5/>
<input type="submit" value="Go!">
</form>

Maybe someone reading the below search.php may see something wrong. Thanks!

<html>
<HEAD>
<TITLE>QRPis.org Quick Callsign Search</TITLE>
<script language="JavaScript" type="text/javascript">
function call_focus()
{
document.callsignsearch.call.value = "";
document.callsignsearch.call.focus();
}
</script>
</HEAD>
<body onload="call_focus()">

<p ALIGN=CENTER STYLE="margin-bottom: 0cm"><FONT FACE="Verdana, sans-serif"><FON
T SIZE=3><b>FCC Callsign Search</b><br>
<FONT SIZE=2>Powered by FreeBSD, MySQL, PHP
<br>
<form name="callsignsearch" action="callsign.php" method="POST">
Callsign Search: <input type="text" name="call" size=8 maxsize=8/>
Zipcode Search: <input type="text" name="zip" size=5 maxsize=5/>
<input type="submit" value="Go!">
</form>

<?php
$callsearch = strtoupper(trim($_POST["call"]));
$zip = trim($_POST["zip"]);

if ($callsearch!= '') {
$query = "select en.callsign, full_name, address1, city, state, zip, class,
former_call from en, am where en.fccid=am.fccid and en.callsign=\"$callsearch\""
;
} else {
if ($zip!= '' ) {
$query = "select en.callsign, full_name, address1, city, state, zip, class
, former_call from en, am where en.fccid=am.fccid and en.zip like \"$zip%\" orde
r by en.callsign limit 1000";
}
}

if ( $query!= '' ) {
$link = mysql_connect("localhost", "hamdb", "witmwtmp") or die ("Could not c
onnect to database. Sorry, dude. 72");
mysql_select_db("fcc_amateur") or die("Could not select database");
$result = mysql_query($query) or die("Query failed");
if ( mysql_num_rows($result) == 1) {
$row = mysql_fetch_row ($result);
print "<b>$row[0]</b><br>$row[1]<br>$row[2]<br>$row[3],$row[4] $row[5]<br>
<br>Class: $row[6]";
if ( $row[7]!= '' ) {
print"<br>Former Callsign: $row[7]";
}
} else {
if ( mysql_num_rows($result) > 1 ) {
$rowcount = mysql_num_rows($result);
print "Records found: $rowcount ";
if ( $rowcount == 1000) {
print "(maximum record limit)";
}
print "<table>";
for ($rowcounter = 1; $rowcounter <= $rowcount; $rowcounter++) {
$row = mysql_fetch_row ($result);
print "<tr>";
#print "<b>$row[0]</b>,$row[1],$row[2],$row[3],$row[4] $row[5], $row[6
]<br>";
print "<td><b><font size=2>$row[0]</b></td><td><font size=2>$row[1]</t
d><td><font size=2>$row[2]</td><td><font size=2>$row[3]</td><td><font size=2>$ro
w[4]</td><td><font size=2>$row[5]</td><td><font size=2>$row[6]</td>";
print "</tr>";
}
print "</table>";
} else {
print "<br>No records found...";
}
}

mysql_free_result($result);
mysql_close($link);
} else {
print "<br>Please enter some criteria...";
}

?>
</P></FONT></FONT>
</BODY>
</html>

 

FalseDawn

5+ Year Member



 
Msg#: 349 posted 7:06 pm on Mar 2, 2006 (gmt 0)

An unexpected blank page is pretty much always indicative of a parse error in the script.
Either turn on full error displaying in PHP, or check your error logs - that might help.

Also, as you admittedly know little about mysql and PHP, you should be aware that the code you posted leaves you wide open for SQL injection attacks.

KG2RG

10+ Year Member



 
Msg#: 349 posted 8:09 pm on Mar 3, 2006 (gmt 0)

Thanks,
I checked the error logs, and had 2 probs @ line 65.

I commented out line 65, now script runs, but I now have a new problem.

New problem:

I run a search and I am connecting to the database.
the databaseselect database

I am now getting a "Query failed"?

[b]
$link = mysql_connect("localhost", "hamdb", "witmwtmp") or die ("Could not c
onnect to database. Sorry, dude. 72");

mysql_select_db("fcc_amateur") or die("Could not select database");

$result = mysql_query($query) or die("Query failed");

Also, as you admittedly know little about mysql and PHP, you should be aware that the code you posted leaves you wide open for SQL injection attacks.

Are you talking about this line?

$link = mysql_connect("localhost", "hamdb", "witmwtmp") or die ("Could not c
onnect to database. Sorry, dude. 72");

FalseDawn

5+ Year Member



 
Msg#: 349 posted 1:53 am on Mar 8, 2006 (gmt 0)

No, in these sections:


if ($callsearch!= '') {
$query = "select en.callsign, full_name, address1, city, state, zip, class,
former_call from en, am where en.fccid=am.fccid and en.callsign=\"$callsearch\""
;
} else {
if ($zip!= '' ) {
$query = "select en.callsign, full_name, address1, city, state, zip, class
, former_call from en, am where en.fccid=am.fccid and en.zip like \"$zip%\" orde
r by en.callsign limit 1000";

You are passing unvalidated user input (POST values $callsearch and $zip) directly into a query.

google "SQL injection attacks" for more info.
Also, check out the PHP function mysql_real_escape_string

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Databases
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved