Forum Moderators: coopster
if($submit)
{
echo "aa";
$query = "select display_name, mobile_numb, level, class from address_book " .
"where display_name like '{$display_name}%'";
$query .= " order by display_name";
$pg_result = pg_query($dbconn, $query);
echo($pg_query);
print ("<table width=\"525\" cellspacing=\"1\" cellpadding=\"3\" border=\"0\" bgcolor=\"#123456\">");
print ("<tr>");
print ("<td bgcolor=\"#dfdfdf\"><b>Name</b></td>");
print ("<td bgcolor=\"#dfdfdf\"><b>Phone</b></td>");
print ("<td bgcolor=\"#dfdfdf\"><b>E-Mail</b></td>");
print ("</tr>");
while($row = pg_fetch_row($pg_result))
{
//echo "ha";
if(($row[4] == 1) or ($row[4] == ""))
{
$primaryPhone = $row[10];
$primaryEmail = $row[13];
}
if($row[4] == 2)
{
$primaryPhone = $row[20];
$primaryEmail = $row[23];
}
print("<tr>\n");
printf("<td bgcolor=\"#ffffff\"> <a href=\"./search3.php?contactID=%s\">%s, %s</a></td>\n", $rowcolor, $row[0], $row[1], $row[2]);
printf("<td bgcolor=\"#ffffff\"> <a href=\"./search3.php?contactID=%s\">%s</a></td>\n", $rowcolor, $row[0], $primaryPhone);
printf("<td bgcolor=\"#ffffff\"> <a href=\"./search3.php?contactID=%s\">%s</a></td>\n", $rowcolor, $row[0], $primaryEmail);
print("</tr>\n");
}
print ("<tr>");
print ("<th bgcolor=\"#dfdfdf\"> </th>");
print ("<th bgcolor=\"#dfdfdf\"> </th>");
print ("<th bgcolor=\"#dfdfdf\"> </th>");
print ("</tr>");
print ("<tr>\n");
print ("<td colspan=\"3\" align=\"right\" bgcolor=\"#DFFFDF\">\n");
print ("<a href=\"./search3.php?tab=?\">Search Again</a>.");
print ("</td>\n");
print ("</tr>\n");
print ("</table>");
}
else
{
echo "here";
print ("<form action=\"./search3.php\" method=\"get\">\n");
print ("<table width=\"525\" cellspacing=\"1\" cellpadding=\"3\" border=\"0\" bgcolor=\"#123456\">\n");
print ("<tr>\n");
print ("<td colspan=\"2\" bgcolor=\"#DFFFDF\"><b>Search your address book...</b></td>\n");
print ("</tr>\n");
print ("<tr>\n");
print ("<td colspan=\"2\" bgcolor=\"#ffffff\">\n");
print ("<table width=\"100%\" cellspacing=\"0\" cellpadding=\"0\" border=\"0\">\n");
print ("<tr>\n");
print ("<td> First Name</td>\n");
print ("<td>Last Name</td>\n");
print ("</tr>\n");
print ("<tr>\n");
print ("<td> <input type=\"text\" name=\"display_name\" size=\"20\" maxsize=\"20\"></td>\n");
print ("<td><input type=\"text\" name=\"lastName\" size=\"30\" maxsize=\"30\"></td>\n");
print ("</tr>\n");
print ("</table>\n");
print ("</td>");
print ("</tr>");
print ("<tr>\n");
print ("<td colspan=\"2\" align=\"right\" bgcolor=\"#DFFFDF\">\n");
print ("<input type=\"hidden\" name=\"tab\" value=\"?\">");
print ("<input type=\"submit\" name=\"submit\" value=\"Search\"> ");
print ("</td>\n");
print ("</tr>\n");
print ("</table>\n");
print ("</form>\n");
}
?>
it will go into the else block although the search button has being clicked,
thks in advance
This line:
if($submit)
should read
if($_POST['submit']) {
or even better:
if( isset($_POST['submit']) &&!empty($_POST['display_name']) ) {$display_name = $_POST['display_name'];
... do stuff ...
Don't forget to filter the display_name variable against any SQL injection or XSS (possibly with htmlentities).
Hope that was it!
Matt
if( isset($_POST['submit']) &&!empty($_POST['display_name']) )
{
$display_name = $_POST['display_name'];
echo "aa";
$query = "select display_name, mobile_numb, level, class from address_book " .
"where display_name like '{$display_name}%'";
$query .= " order by display_name";
$pg_result = pg_query($dbconn, $query);
echo($pg_query);
print ("<table width=\"525\" cellspacing=\"1\" cellpadding=\"3\" border=\"0\" bgcolor=\"#123456\">");
print ("<tr>");
Anyway, do some debugging with this at the beginning of your page:
<?
echo '<html><body><pre>';
print_r($_POST);
print_r($_GET);
echo '</pre></body></html>';
die();
?>
See if your "submit" is in the $_POST array, and check out any other data that's being passed. From there on you can determine if you're testing for the right variable.
Instead of my previous post as well, try simply:
if( $_POST['submit'] ) {
do stuff
}
Rather than the isset and!empty.
As for the SQL injection and XSS, have a look at:
[ca3.php.net...]
[talks.php.net...] (That one gets interesting at page 6)
Also:
[talks.php.net...]
