473,574 Members | 2,474 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

php form info...

Hi,

have a form, with a text input "fieldname" .
method POST

$var = $_POST["fieldname"]

$var is then used to search in mysql

select * from table where jobtype like '$var%'
OR jobtype like '%$var%'
OR jobtype like '%$var'
OR jobtype like '$var' order by date asc;

basically i'm doing a search for any string that matches the searched
input, being at the beginning, middle or end of the jobtype column.

query works great, except when the string contains the 4-letter word
'info' such as information or informative
then the mysql query breaks down and give the usual:

Error performing query: You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'ORDER BY date ASC' at line 1

Now after much debugging, i found out that the php _POST variable
treats anything with info as a numner of 0 value.
inf is treated as text, nformation is treated as text, but anything
with info gets a 0 value.

Searched php.net and couldn't find anything related to this feature,
looked under security to see if it was related to that, but nothing.

Can anyone look into it and elaborate?
create a form, then echo the value of the $_POST variable
and try words that contain info in them.

thanks.

SBJ

Oct 19 '05 #1
9 2303
Hi,

The following prints

* info *

on the screen for me. If you want to send the code, I'll have a look at
it.

Ian

<html>
<head>
<title></title>
</head>
<body>
<?php

if(isset($_POST['fieldname'])) echo "* {$_POST['fieldname']} *";

?>
<form method="post">
<input type='text' name='fieldname '>
<input type='submit'>
</form>
</body>
</html>

Oct 19 '05 #2
I tried and had no issue with $_POST[].
Have you tried print_r($_POST) ; to ensure it is a $_POST variable problem.

Can you post a snippet of code that duplicates this problem?

Here is what I did:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitl ed Document</title>
</head>
<body>
<?php
if($_POST['action'] == 'submit'){
echo "print_r: ";
print_r($_POST) ;
echo "<br>";
echo "post: ".$_POST["fieldname"];
$var = $_POST["fieldname"];
echo "<br>var: ".$var;
}
?>
<form name="form1" method="post" action="<?php echo
$HTTP_SERVER_VA RS['PHP_SELF'];?>">
<table width="400" border="1" align="center" cellpadding="0"
cellspacing="0" >
<tr>
<td width="50%" align="right">F ield:</td>
<td><input name="fieldname " type="text" id="fieldname"> </td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr align="center">
<td colspan="2"><in put type="submit" name="Submit" value="Submit">
<input name="action" type="hidden" id="action" value="submit"> </td>
</tr>
</table>
</form>
</body>
</html>
starbuck wrote:
Hi,

have a form, with a text input "fieldname" .
method POST

$var = $_POST["fieldname"]

$var is then used to search in mysql

select * from table where jobtype like '$var%'
OR jobtype like '%$var%'
OR jobtype like '%$var'
OR jobtype like '$var' order by date asc;

basically i'm doing a search for any string that matches the searched
input, being at the beginning, middle or end of the jobtype column.

query works great, except when the string contains the 4-letter word
'info' such as information or informative
then the mysql query breaks down and give the usual:

Error performing query: You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'ORDER BY date ASC' at line 1

Now after much debugging, i found out that the php _POST variable
treats anything with info as a numner of 0 value.
inf is treated as text, nformation is treated as text, but anything
with info gets a 0 value.

Searched php.net and couldn't find anything related to this feature,
looked under security to see if it was related to that, but nothing.

Can anyone look into it and elaborate?
create a form, then echo the value of the $_POST variable
and try words that contain info in them.

thanks.

SBJ


--
Scott Johnson
http://www.seaforthsailingclub.com
Oct 19 '05 #3
Hi, thanks for replying with your findings, however the problem occurs
when trying to search in the mysql statement.
Below is a sample of my tests:

$var = $_POST["textfield"];

$testvar = $var + 2;

echo $var;
echo "<br>";
echo $testvar;

below is the output for different search keywords.
word echo $var echo $testvar
test test 2
45 45 47
formation formation 2
information information INF
inf inf 2
info info INF
inforum inforum INF
as you can see, anything that starts with info is converted to a
different type or value,
if it were kept as char the addition would've yielded 2 like all other
char inputs.
somehow mysql is treating this also as a different type which is why
the queries fail.
the echo of the post variable is displayed correctly, but the 'value'
of it changes

this is very weird and i haven't found ways to work around it, the only
way to retrieve records
with the string info in them is to search for nfo or inf
but this isn't something that users of the site would think of doing.

Oct 20 '05 #4
starbuck (sb****@yahoo.c om) wrote:
: Hi, thanks for replying with your findings, however the problem occurs
: when trying to search in the mysql statement.
: Below is a sample of my tests:

: $var = $_POST["textfield"];

: $testvar = $var + 2;

: echo $var;
: echo "<br>";
: echo $testvar;

: below is the output for different search keywords.
: word echo $var echo $testvar
: test test 2
: 45 45 47
: formation formation 2
: information information INF
: inf inf 2
: info info INF
: inforum inforum INF
: as you can see, anything that starts with info is converted to a
: different type or value,
: if it were kept as char the addition would've yielded 2 like all other
: char inputs.
: somehow mysql is treating this also as a different type which is why
: the queries fail.
: the echo of the post variable is displayed correctly, but the 'value'
: of it changes

: this is very weird and i haven't found ways to work around it, the only
: way to retrieve records
: with the string info in them is to search for nfo or inf
: but this isn't something that users of the site would think of doing.

You appear to be misunderstandin g and misexplaining your problem.

The example above uses mathematical addition within a php expression to
combine a variable containing an arbitrary string with a constant number.

That shows nothing at all about what ever problem is occurring with mysql.

The results within php (shown above) depend a great deal on the contents
of that string. The exact result depends on the rules php uses when it
tries to intepret the string as part of a mathematical expression. You
need to read the php documentation in detail to learn all the various
factors that php uses when interpretting strings in numeric calculations.

You might wish to check exactly what query string you are sending to
mysql.

I always use the following idiom

$sql = "select whatever ...";

mysql_query($sq l ...etc...

The point being that if you build the query as a standalone string then it
is trivial to add an echo to confirm what sql is being run without
accidently altering anything.

echo $sql;


--

This programmer available for rent.
Oct 20 '05 #5
If you could post the code that duplicates this output, it would be
easier to tell.

However if you take a text string and add an integer to it, it will be
converted to an integer type.

The INF you have showing means 'infinity', but I am not sure how you are
getting it.

Try gettype() in your output to see what type it is getting converted to.
starbuck wrote:
Hi, thanks for replying with your findings, however the problem occurs
when trying to search in the mysql statement.
Below is a sample of my tests:

$var = $_POST["textfield"];

$testvar = $var + 2;

echo $var;
echo "<br>";
echo $testvar;

below is the output for different search keywords.
word echo $var echo $testvar
test test 2
45 45 47
formation formation 2
information information INF
inf inf 2
info info INF
inforum inforum INF
as you can see, anything that starts with info is converted to a
different type or value,
if it were kept as char the addition would've yielded 2 like all other
char inputs.
somehow mysql is treating this also as a different type which is why
the queries fail.
the echo of the post variable is displayed correctly, but the 'value'
of it changes

this is very weird and i haven't found ways to work around it, the only
way to retrieve records
with the string info in them is to search for nfo or inf
but this isn't something that users of the site would think of doing.


--
Scott Johnson
http://www.seaforthsailingclub.com
Oct 20 '05 #6
the problem with mysql is that the where condition being matched to a
value that doesn't exist.
the reason why it doesn't exist is because php changes the value from
what it should be.
a value pass in the $_POST variable, that starts with the string 'info'
is being misinterpreted by php
and therefore passed to mysql as that misinterpreted value.

1, input a value in the search box; name of form element is textfield
2. assign value of textfield to a local variable via $localvar =
$_POST{"textfie ld"];
3. use local variable as where condition of mysql statement:
select * from table where column like '%$localvar%';

any value you use in the original search box works all the way, whether
it exists on the mysql table or not
it retains the value that it's supposed to.
however if the value begins with info it will break the mysql statement
and result in a syntax error.
now what's so special about info?

the numerical calculations above were to determine the real value,
whatever it may be for the string passed.
numbers remain numbers, strings appear to be given a value of 0,
however a string that starts with info
is given an INF or infinite value it seems.

Oct 21 '05 #7
starbuck (sb****@yahoo.c om) wrote:
: the problem with mysql is that the where condition being matched to a
: value that doesn't exist.
: the reason why it doesn't exist is because php changes the value from
: what it should be.
: a value pass in the $_POST variable, that starts with the string 'info'
: is being misinterpreted by php
: and therefore passed to mysql as that misinterpreted value.

: 1, input a value in the search box; name of form element is textfield
: 2. assign value of textfield to a local variable via $localvar =
: $_POST{"textfie ld"];
: 3. use local variable as where condition of mysql statement:
: select * from table where column like '%$localvar%';

: any value you use in the original search box works all the way, whether
: it exists on the mysql table or not
: it retains the value that it's supposed to.
: however if the value begins with info it will break the mysql statement
: and result in a syntax error.
: now what's so special about info?

: the numerical calculations above were to determine the real value,
: whatever it may be for the string passed.
: numbers remain numbers, strings appear to be given a value of 0,
: however a string that starts with info
: is given an INF or infinite value it seems.

Mysql receives a string, and you haven't examined that string. The
problem has nothing to do with mysql, and everything to do with how you
build the query string.

You don't include any code that illustrates the problem so there is
nothing that can be done help fix it.

My example code did not reproduce your problem.
$var = 'm';
$sql = "select * from Contacts where owner like '%$var%'";
echo "$sql \n";

$sth = mysql_query($sq l, $dbh) or die(mysql_error ());
while($row = mysql_fetch_arr ay($sth))
{
echo $row['owner'];

}

$var = 'info';
$sql = "select * from Contacts where owner like '%$var%'";
echo "$sql \n";

$sth = mysql_query($sq l, $dbh) or die(mysql_error ());
while($row = mysql_fetch_arr ay($sth))
{
echo $row['owner'];

}
Both code samples worked just fine against one of my databases.

--

This programmer available for rent.
Oct 21 '05 #8
<pre>

below is the code that i'm using:
i added the echo's above the mysql query
just to see what is actually being assigned to the $where_conditio n.
it seems that when $search_value is given the 'info' string, the
$where_conditio n never gets set at all
even though the else statement should set it.
If the users enters a number, the query tries to match that number by
looking for it in the school_number
column. If a user types some text, it tries to match it up in the name
and aka fields.
$search_value = $_POST["textfield"];

if (!$search_value ) {
echo("<p>You must type something in the search box to get results: "
.. mysql_error() . "</p>");
exit();
}

if ($search_value != 0) {
if ($search_value / $search_value == 1) {
$where_conditio n = "schools.school _number = '$search_value' ";
}
}
else {
$where_conditio n = "schools.na me like '$search_value% ' OR
schools.aka like '$search_value% ' OR schools.name like
'%$search_value %' OR schools.aka like '%$search_value %'";
}

echo $search_value;
echo "<br>SELECT *, ceiling(read_sc ores/20) as read_stars,
ceiling(math_sc ores/20) as math_stars FROM schools WHERE " .
$where_conditio n . " ORDER BY borough ASC";

$result = db_query("SELEC T *, ceiling(read_sc ores/20) as read_stars,
ceiling(math_sc ores/20) as math_stars FROM schools WHERE " .
$where_conditio n . " ORDER BY borough ASC", $link);
if (!$result) {
echo("<p>Error performing query: " . mysql_error() . "</p>");
exit();
}
</pre>

Oct 21 '05 #9
Ok now its starting to make sense.
Any time you start to compare a string to an interger, it trys to
convert the string looking at it one character at a time. strings
without intergers will convert to 0 (zero).

If it encounters a string with INF in it, it will treat it as a
'infinity' type. (not an expert on that).

It seems like you are taking a string and testing it for either an
interger or a string. But be testing it against an interger, "if
($search_value != 0)", will automatically treat the string as an
interger, and then if it sees 'inf' in it, will try to force the case on it.

What I have done in the past to check for interger is use:
if(is_int($sear ch_value)){
Do your number search
}else{
Do your string search
}
I hope this makes sense.

Maybe Malcolm can elborate some more.

Good luck

starbuck wrote:
<pre>

below is the code that i'm using:
i added the echo's above the mysql query
just to see what is actually being assigned to the $where_conditio n.
it seems that when $search_value is given the 'info' string, the
$where_conditio n never gets set at all
even though the else statement should set it.
If the users enters a number, the query tries to match that number by
looking for it in the school_number
column. If a user types some text, it tries to match it up in the name
and aka fields.
$search_value = $_POST["textfield"];

if (!$search_value ) {
echo("<p>You must type something in the search box to get results: "
. mysql_error() . "</p>");
exit();
}

if ($search_value != 0) {
if ($search_value / $search_value == 1) {
$where_conditio n = "schools.school _number = '$search_value' ";
}
}
else {
$where_conditio n = "schools.na me like '$search_value% ' OR
schools.aka like '$search_value% ' OR schools.name like
'%$search_value %' OR schools.aka like '%$search_value %'";
}

echo $search_value;
echo "<br>SELECT *, ceiling(read_sc ores/20) as read_stars,
ceiling(math_sc ores/20) as math_stars FROM schools WHERE " .
$where_conditio n . " ORDER BY borough ASC";

$result = db_query("SELEC T *, ceiling(read_sc ores/20) as read_stars,
ceiling(math_sc ores/20) as math_stars FROM schools WHERE " .
$where_conditio n . " ORDER BY borough ASC", $link);
if (!$result) {
echo("<p>Error performing query: " . mysql_error() . "</p>");
exit();
}
</pre>


--
Scott Johnson
http://www.seaforthsailingclub.com
Oct 21 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

10
2768
by: Norman Bird | last post by:
I have a form i will use to register new people and when I click the submit button, the form just shows itself. It is supposed to show a message showing field errors if you leave fields blank etc. so submitting the empty form should show error message in red , then show form, but all it does is show form. I checked the variable to make shore...
10
4171
by: DaveFash | last post by:
Posting variables from an HTML FORM, via the Request.Form function on the receiving ASP page is great. But how can you POST a Form variable to an ASP page -- without a human pushing a Submit button? An ASP page that can decide when to POST and send the Form vaiables, but out without a
6
2475
by: skgolden | last post by:
My husband and I own a small temporary labor company and deal with 4 major clients (A,B,C & D), each of which has about 2 dozen units in our tristate area that we deal with (ie, Company A, units a,b,c,d,e etc). We send temps possessing various skills (cashier, cook, hostess, etc) to the individual units as needed. What I'm trying to do is...
2
2079
by: AA Arens | last post by:
Somebody willing to assist me in the following? I want to have values from one field copied to another field when I choose choose a item from a drop down menu. I have 2 forms: 1 Company contact info 2 Employee contact info When I finished form 1, I jump to form 2.
8
4925
by: CJack | last post by:
hy, I have an mdi application, i create a child form and I want to know when a button is pressed while that child form is loaded. I have this code: private void frmTestBaby_KeyUp(object sender, System.EventArgs e) { MessageBox.Show("keyboard button pressed!"); } Following is the code to load the frmTestBaby
6
3219
by: Gary Miller | last post by:
Does anyone know how to detect a modeless form on closing by the form that invoked the modeless form? form.Show();
7
3625
by: | last post by:
I am having trouble figuring out to call a database INSERT procedure from a simple submit form. It appears I should use the onclick event to trigger the procedure called BUT when I do this I receive this error: 'btnInsert_Click' is not a member of 'ASP.Insert_aspx'. I realise the procedure is houwsed in a sub which may be what is...
7
6976
by: h7qvnk7q001 | last post by:
I'm trying to implement a simple server-side form validation (No Javascript). If the user submits a form with errors, I want to redisplay the same form with the errors highlighted. Once the form is correct I need to submit to another page that uses the form data. I first tried making the form submit action= field point to the same file....
1
1658
by: asavu | last post by:
Hello, I'm somewhat new to this, and I definately need some help. I have a db for a small business, and I have a main form, Customer Info, which has a subform Appliance Info, which has a subform Service Call Info... these three forms are linked, and I run into a problem when I try to search through records. I set up a different form where the...
8
2168
by: ahilar12 | last post by:
Hi experts, I have a form with many textboxes,listboxes in php.I have a edit button to edit the values in the form.once i click the edit button the existing values should be displayed so that the user can edit those particular values and also that should be updated in the mysql database.kindly reply me as early as possible. Thanks
0
7710
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
0
8225
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7800
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8092
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
0
6437
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
0
5296
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3745
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1332
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
0
1051
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.