By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,610 Members | 1,989 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,610 IT Pros & Developers. It's quick & easy.

Search Term Not Passing to Output Form

P: n/a
I have a search form from which I hope to be able to select a record by
field JobNumber and display it with an output form titled test.php

<html>
<head>
<title>Job Database Search</title>
</head>
<body style='font-family: Geneva, Arial, Helvetica, sans-serif;'>
Enter Job Number:
<form action="test.php" method="post">
<input type="text" name="searchterm">
<input type="submit" name="Send">
</form>
</body>
</html>

The query on the output form (test.php) is as follows and returns a blank
output:

$query="select * from jobs where JobNumber like '$searchterm'";

The problem I'm having is that the searchterm variable does not appear to
be passing to the output form. I know that I am connecting to the database
and that the query is fundamentally correct because I can access the record
I want by substituting a real Job Number for the variable.

Any ideas?
Jan 4 '06 #1
Share this Question
Share on Google+
2 Replies


P: n/a
"Bob Sanderson" <sa*****@LUVSPAMsandmansoftware.com> wrote in message
news:Xn**********************************@207.69.1 89.191...
$query="select * from jobs where JobNumber like '$searchterm'";

The problem I'm having is that the searchterm variable does not appear to
be passing to the output form.


The first troubleshooting step anytime you are creating SQL strings
programmatically is to output the finished SQL string. This allows you to
spot unbalanced quotes, unanticipated whitespace, etc.

BTW, the example you give above is a classic "SQL injection" security flaw.
What happens if a malicious user enters a string into your input form such
as:

nomatch'; delete from jobs;

Another troubleshooting method is to cut & paste the finished $query string
into the mysql client (or MySQL Query Browser) and see if that statement
produces the query results you intend.

Also, make sure your PHP code tests for error status returned from the query
execution, and displays any error messages to the HTML output.

Regards,
Bill K.
Jan 4 '06 #2

P: n/a
On Wed, 04 Jan 2006 17:33:52 +0000, Bob Sanderson wrote:
The query on the output form (test.php) is as follows and returns a blank
output:

$query="select * from jobs where JobNumber like '$searchterm'";


First off, re-read Bill's advice even if you've already read it - it's
very important.

Do you have "register_globals" turned on?

It's not set by default on PHP now (and it's not a good idea either) so
you should be using the new superglobals:

$query="select * from jobs where JobNumber like '$_POST[searchterm]'";

Actually that isn't absolutely correct (as searchterm could be define()d
to be something else), but it's what 99.9% of PHP programmers use and is
fine as long as you are aware of defines.

Cheers,
Andy
--
Andy Jeffries | gPHPEdit Lead Developer
http://www.gphpedit.org | PHP editor for Gnome 2
http://www.andyjeffries.co.uk | Personal site and photos

Jan 5 '06 #3

This discussion thread is closed

Replies have been disabled for this discussion.