Welcome to WebmasterWorld Guest from 54.146.171.44

Forum Moderators: open

Message Too Old, No Replies

can any1 see anything wrong with this MySQL search.php?

search.php

   
12:50 pm on Mar 2, 2006 (gmt 0)

10+ Year Member



Hi,
I can not getthis search.php to work. I do not know much about MySQL or PHP. I have a MySQL database working and can search from a shell promp using putty.

I have this script from someone who was running the same MySQL database and content. I uploaded the search.php to my server, and I get a blank page in my browser. I also added a search.html with just the search form like this:

<form name="callsignsearch" action="search.php" method="POST">
Callsign Search: <input type="text" name="call" size=8 maxsize=8/>
Zipcode Search: <input type="text" name="zip" size=5 maxsize=5/>
<input type="submit" value="Go!">
</form>

Maybe someone reading the below search.php may see something wrong. Thanks!

<html>
<HEAD>
<TITLE>QRPis.org Quick Callsign Search</TITLE>
<script language="JavaScript" type="text/javascript">
function call_focus()
{
document.callsignsearch.call.value = "";
document.callsignsearch.call.focus();
}
</script>
</HEAD>
<body onload="call_focus()">

<p ALIGN=CENTER STYLE="margin-bottom: 0cm"><FONT FACE="Verdana, sans-serif"><FON
T SIZE=3><b>FCC Callsign Search</b><br>
<FONT SIZE=2>Powered by FreeBSD, MySQL, PHP
<br>
<form name="callsignsearch" action="callsign.php" method="POST">
Callsign Search: <input type="text" name="call" size=8 maxsize=8/>
Zipcode Search: <input type="text" name="zip" size=5 maxsize=5/>
<input type="submit" value="Go!">
</form>

<?php
$callsearch = strtoupper(trim($_POST["call"]));
$zip = trim($_POST["zip"]);

if ($callsearch!= '') {
$query = "select en.callsign, full_name, address1, city, state, zip, class,
former_call from en, am where en.fccid=am.fccid and en.callsign=\"$callsearch\""
;
} else {
if ($zip!= '' ) {
$query = "select en.callsign, full_name, address1, city, state, zip, class
, former_call from en, am where en.fccid=am.fccid and en.zip like \"$zip%\" orde
r by en.callsign limit 1000";
}
}

if ( $query!= '' ) {
$link = mysql_connect("localhost", "hamdb", "witmwtmp") or die ("Could not c
onnect to database. Sorry, dude. 72");
mysql_select_db("fcc_amateur") or die("Could not select database");
$result = mysql_query($query) or die("Query failed");
if ( mysql_num_rows($result) == 1) {
$row = mysql_fetch_row ($result);
print "<b>$row[0]</b><br>$row[1]<br>$row[2]<br>$row[3],$row[4] $row[5]<br>
<br>Class: $row[6]";
if ( $row[7]!= '' ) {
print"<br>Former Callsign: $row[7]";
}
} else {
if ( mysql_num_rows($result) > 1 ) {
$rowcount = mysql_num_rows($result);
print "Records found: $rowcount ";
if ( $rowcount == 1000) {
print "(maximum record limit)";
}
print "<table>";
for ($rowcounter = 1; $rowcounter <= $rowcount; $rowcounter++) {
$row = mysql_fetch_row ($result);
print "<tr>";
#print "<b>$row[0]</b>,$row[1],$row[2],$row[3],$row[4] $row[5], $row[6
]<br>";
print "<td><b><font size=2>$row[0]</b></td><td><font size=2>$row[1]</t
d><td><font size=2>$row[2]</td><td><font size=2>$row[3]</td><td><font size=2>$ro
w[4]</td><td><font size=2>$row[5]</td><td><font size=2>$row[6]</td>";
print "</tr>";
}
print "</table>";
} else {
print "<br>No records found...";
}
}

mysql_free_result($result);
mysql_close($link);
} else {
print "<br>Please enter some criteria...";
}

?>
</P></FONT></FONT>
</BODY>
</html>

7:06 pm on Mar 2, 2006 (gmt 0)

10+ Year Member



An unexpected blank page is pretty much always indicative of a parse error in the script.
Either turn on full error displaying in PHP, or check your error logs - that might help.

Also, as you admittedly know little about mysql and PHP, you should be aware that the code you posted leaves you wide open for SQL injection attacks.

8:09 pm on Mar 3, 2006 (gmt 0)

10+ Year Member



Thanks,
I checked the error logs, and had 2 probs @ line 65.

I commented out line 65, now script runs, but I now have a new problem.

New problem:

I run a search and I am connecting to the database.
the databaseselect database

I am now getting a "Query failed"?

[b]
$link = mysql_connect("localhost", "hamdb", "witmwtmp") or die ("Could not c
onnect to database. Sorry, dude. 72");

mysql_select_db("fcc_amateur") or die("Could not select database");

$result = mysql_query($query) or die("Query failed");

Also, as you admittedly know little about mysql and PHP, you should be aware that the code you posted leaves you wide open for SQL injection attacks.

Are you talking about this line?

$link = mysql_connect("localhost", "hamdb", "witmwtmp") or die ("Could not c
onnect to database. Sorry, dude. 72");

1:53 am on Mar 8, 2006 (gmt 0)

10+ Year Member



No, in these sections:


if ($callsearch!= '') {
$query = "select en.callsign, full_name, address1, city, state, zip, class,
former_call from en, am where en.fccid=am.fccid and en.callsign=\"$callsearch\""
;
} else {
if ($zip!= '' ) {
$query = "select en.callsign, full_name, address1, city, state, zip, class
, former_call from en, am where en.fccid=am.fccid and en.zip like \"$zip%\" orde
r by en.callsign limit 1000";

You are passing unvalidated user input (POST values $callsearch and $zip) directly into a query.

google "SQL injection attacks" for more info.
Also, check out the PHP function mysql_real_escape_string