470,815 Members | 1,343 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,815 developers. It's quick & easy.

php form info...

Hi,

have a form, with a text input "fieldname".
method POST

$var = $_POST["fieldname"]

$var is then used to search in mysql

select * from table where jobtype like '$var%'
OR jobtype like '%$var%'
OR jobtype like '%$var'
OR jobtype like '$var' order by date asc;

basically i'm doing a search for any string that matches the searched
input, being at the beginning, middle or end of the jobtype column.

query works great, except when the string contains the 4-letter word
'info' such as information or informative
then the mysql query breaks down and give the usual:

Error performing query: You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'ORDER BY date ASC' at line 1

Now after much debugging, i found out that the php _POST variable
treats anything with info as a numner of 0 value.
inf is treated as text, nformation is treated as text, but anything
with info gets a 0 value.

Searched php.net and couldn't find anything related to this feature,
looked under security to see if it was related to that, but nothing.

Can anyone look into it and elaborate?
create a form, then echo the value of the $_POST variable
and try words that contain info in them.

thanks.

SBJ

Oct 19 '05 #1
9 2114
Hi,

The following prints

* info *

on the screen for me. If you want to send the code, I'll have a look at
it.

Ian

<html>
<head>
<title></title>
</head>
<body>
<?php

if(isset($_POST['fieldname'])) echo "* {$_POST['fieldname']} *";

?>
<form method="post">
<input type='text' name='fieldname'>
<input type='submit'>
</form>
</body>
</html>

Oct 19 '05 #2
I tried and had no issue with $_POST[].
Have you tried print_r($_POST); to ensure it is a $_POST variable problem.

Can you post a snippet of code that duplicates this problem?

Here is what I did:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
</head>
<body>
<?php
if($_POST['action'] == 'submit'){
echo "print_r: ";
print_r($_POST);
echo "<br>";
echo "post: ".$_POST["fieldname"];
$var = $_POST["fieldname"];
echo "<br>var: ".$var;
}
?>
<form name="form1" method="post" action="<?php echo
$HTTP_SERVER_VARS['PHP_SELF'];?>">
<table width="400" border="1" align="center" cellpadding="0"
cellspacing="0">
<tr>
<td width="50%" align="right">Field:</td>
<td><input name="fieldname" type="text" id="fieldname"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr align="center">
<td colspan="2"><input type="submit" name="Submit" value="Submit">
<input name="action" type="hidden" id="action" value="submit"></td>
</tr>
</table>
</form>
</body>
</html>
starbuck wrote:
Hi,

have a form, with a text input "fieldname".
method POST

$var = $_POST["fieldname"]

$var is then used to search in mysql

select * from table where jobtype like '$var%'
OR jobtype like '%$var%'
OR jobtype like '%$var'
OR jobtype like '$var' order by date asc;

basically i'm doing a search for any string that matches the searched
input, being at the beginning, middle or end of the jobtype column.

query works great, except when the string contains the 4-letter word
'info' such as information or informative
then the mysql query breaks down and give the usual:

Error performing query: You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version for the right
syntax to use near 'ORDER BY date ASC' at line 1

Now after much debugging, i found out that the php _POST variable
treats anything with info as a numner of 0 value.
inf is treated as text, nformation is treated as text, but anything
with info gets a 0 value.

Searched php.net and couldn't find anything related to this feature,
looked under security to see if it was related to that, but nothing.

Can anyone look into it and elaborate?
create a form, then echo the value of the $_POST variable
and try words that contain info in them.

thanks.

SBJ


--
Scott Johnson
http://www.seaforthsailingclub.com
Oct 19 '05 #3
Hi, thanks for replying with your findings, however the problem occurs
when trying to search in the mysql statement.
Below is a sample of my tests:

$var = $_POST["textfield"];

$testvar = $var + 2;

echo $var;
echo "<br>";
echo $testvar;

below is the output for different search keywords.
word echo $var echo $testvar
test test 2
45 45 47
formation formation 2
information information INF
inf inf 2
info info INF
inforum inforum INF
as you can see, anything that starts with info is converted to a
different type or value,
if it were kept as char the addition would've yielded 2 like all other
char inputs.
somehow mysql is treating this also as a different type which is why
the queries fail.
the echo of the post variable is displayed correctly, but the 'value'
of it changes

this is very weird and i haven't found ways to work around it, the only
way to retrieve records
with the string info in them is to search for nfo or inf
but this isn't something that users of the site would think of doing.

Oct 20 '05 #4
starbuck (sb****@yahoo.com) wrote:
: Hi, thanks for replying with your findings, however the problem occurs
: when trying to search in the mysql statement.
: Below is a sample of my tests:

: $var = $_POST["textfield"];

: $testvar = $var + 2;

: echo $var;
: echo "<br>";
: echo $testvar;

: below is the output for different search keywords.
: word echo $var echo $testvar
: test test 2
: 45 45 47
: formation formation 2
: information information INF
: inf inf 2
: info info INF
: inforum inforum INF
: as you can see, anything that starts with info is converted to a
: different type or value,
: if it were kept as char the addition would've yielded 2 like all other
: char inputs.
: somehow mysql is treating this also as a different type which is why
: the queries fail.
: the echo of the post variable is displayed correctly, but the 'value'
: of it changes

: this is very weird and i haven't found ways to work around it, the only
: way to retrieve records
: with the string info in them is to search for nfo or inf
: but this isn't something that users of the site would think of doing.

You appear to be misunderstanding and misexplaining your problem.

The example above uses mathematical addition within a php expression to
combine a variable containing an arbitrary string with a constant number.

That shows nothing at all about what ever problem is occurring with mysql.

The results within php (shown above) depend a great deal on the contents
of that string. The exact result depends on the rules php uses when it
tries to intepret the string as part of a mathematical expression. You
need to read the php documentation in detail to learn all the various
factors that php uses when interpretting strings in numeric calculations.

You might wish to check exactly what query string you are sending to
mysql.

I always use the following idiom

$sql = "select whatever ...";

mysql_query($sql ...etc...

The point being that if you build the query as a standalone string then it
is trivial to add an echo to confirm what sql is being run without
accidently altering anything.

echo $sql;


--

This programmer available for rent.
Oct 20 '05 #5
If you could post the code that duplicates this output, it would be
easier to tell.

However if you take a text string and add an integer to it, it will be
converted to an integer type.

The INF you have showing means 'infinity', but I am not sure how you are
getting it.

Try gettype() in your output to see what type it is getting converted to.
starbuck wrote:
Hi, thanks for replying with your findings, however the problem occurs
when trying to search in the mysql statement.
Below is a sample of my tests:

$var = $_POST["textfield"];

$testvar = $var + 2;

echo $var;
echo "<br>";
echo $testvar;

below is the output for different search keywords.
word echo $var echo $testvar
test test 2
45 45 47
formation formation 2
information information INF
inf inf 2
info info INF
inforum inforum INF
as you can see, anything that starts with info is converted to a
different type or value,
if it were kept as char the addition would've yielded 2 like all other
char inputs.
somehow mysql is treating this also as a different type which is why
the queries fail.
the echo of the post variable is displayed correctly, but the 'value'
of it changes

this is very weird and i haven't found ways to work around it, the only
way to retrieve records
with the string info in them is to search for nfo or inf
but this isn't something that users of the site would think of doing.


--
Scott Johnson
http://www.seaforthsailingclub.com
Oct 20 '05 #6
the problem with mysql is that the where condition being matched to a
value that doesn't exist.
the reason why it doesn't exist is because php changes the value from
what it should be.
a value pass in the $_POST variable, that starts with the string 'info'
is being misinterpreted by php
and therefore passed to mysql as that misinterpreted value.

1, input a value in the search box; name of form element is textfield
2. assign value of textfield to a local variable via $localvar =
$_POST{"textfield"];
3. use local variable as where condition of mysql statement:
select * from table where column like '%$localvar%';

any value you use in the original search box works all the way, whether
it exists on the mysql table or not
it retains the value that it's supposed to.
however if the value begins with info it will break the mysql statement
and result in a syntax error.
now what's so special about info?

the numerical calculations above were to determine the real value,
whatever it may be for the string passed.
numbers remain numbers, strings appear to be given a value of 0,
however a string that starts with info
is given an INF or infinite value it seems.

Oct 21 '05 #7
starbuck (sb****@yahoo.com) wrote:
: the problem with mysql is that the where condition being matched to a
: value that doesn't exist.
: the reason why it doesn't exist is because php changes the value from
: what it should be.
: a value pass in the $_POST variable, that starts with the string 'info'
: is being misinterpreted by php
: and therefore passed to mysql as that misinterpreted value.

: 1, input a value in the search box; name of form element is textfield
: 2. assign value of textfield to a local variable via $localvar =
: $_POST{"textfield"];
: 3. use local variable as where condition of mysql statement:
: select * from table where column like '%$localvar%';

: any value you use in the original search box works all the way, whether
: it exists on the mysql table or not
: it retains the value that it's supposed to.
: however if the value begins with info it will break the mysql statement
: and result in a syntax error.
: now what's so special about info?

: the numerical calculations above were to determine the real value,
: whatever it may be for the string passed.
: numbers remain numbers, strings appear to be given a value of 0,
: however a string that starts with info
: is given an INF or infinite value it seems.

Mysql receives a string, and you haven't examined that string. The
problem has nothing to do with mysql, and everything to do with how you
build the query string.

You don't include any code that illustrates the problem so there is
nothing that can be done help fix it.

My example code did not reproduce your problem.
$var = 'm';
$sql = "select * from Contacts where owner like '%$var%'";
echo "$sql \n";

$sth = mysql_query($sql, $dbh) or die(mysql_error());
while($row = mysql_fetch_array($sth))
{
echo $row['owner'];

}

$var = 'info';
$sql = "select * from Contacts where owner like '%$var%'";
echo "$sql \n";

$sth = mysql_query($sql, $dbh) or die(mysql_error());
while($row = mysql_fetch_array($sth))
{
echo $row['owner'];

}
Both code samples worked just fine against one of my databases.

--

This programmer available for rent.
Oct 21 '05 #8
<pre>

below is the code that i'm using:
i added the echo's above the mysql query
just to see what is actually being assigned to the $where_condition.
it seems that when $search_value is given the 'info' string, the
$where_condition never gets set at all
even though the else statement should set it.
If the users enters a number, the query tries to match that number by
looking for it in the school_number
column. If a user types some text, it tries to match it up in the name
and aka fields.
$search_value = $_POST["textfield"];

if (!$search_value) {
echo("<p>You must type something in the search box to get results: "
.. mysql_error() . "</p>");
exit();
}

if ($search_value != 0) {
if ($search_value / $search_value == 1) {
$where_condition = "schools.school_number = '$search_value'";
}
}
else {
$where_condition = "schools.name like '$search_value%' OR
schools.aka like '$search_value%' OR schools.name like
'%$search_value%' OR schools.aka like '%$search_value%'";
}

echo $search_value;
echo "<br>SELECT *, ceiling(read_scores/20) as read_stars,
ceiling(math_scores/20) as math_stars FROM schools WHERE " .
$where_condition . " ORDER BY borough ASC";

$result = db_query("SELECT *, ceiling(read_scores/20) as read_stars,
ceiling(math_scores/20) as math_stars FROM schools WHERE " .
$where_condition . " ORDER BY borough ASC", $link);
if (!$result) {
echo("<p>Error performing query: " . mysql_error() . "</p>");
exit();
}
</pre>

Oct 21 '05 #9
Ok now its starting to make sense.
Any time you start to compare a string to an interger, it trys to
convert the string looking at it one character at a time. strings
without intergers will convert to 0 (zero).

If it encounters a string with INF in it, it will treat it as a
'infinity' type. (not an expert on that).

It seems like you are taking a string and testing it for either an
interger or a string. But be testing it against an interger, "if
($search_value != 0)", will automatically treat the string as an
interger, and then if it sees 'inf' in it, will try to force the case on it.

What I have done in the past to check for interger is use:
if(is_int($search_value)){
Do your number search
}else{
Do your string search
}
I hope this makes sense.

Maybe Malcolm can elborate some more.

Good luck

starbuck wrote:
<pre>

below is the code that i'm using:
i added the echo's above the mysql query
just to see what is actually being assigned to the $where_condition.
it seems that when $search_value is given the 'info' string, the
$where_condition never gets set at all
even though the else statement should set it.
If the users enters a number, the query tries to match that number by
looking for it in the school_number
column. If a user types some text, it tries to match it up in the name
and aka fields.
$search_value = $_POST["textfield"];

if (!$search_value) {
echo("<p>You must type something in the search box to get results: "
. mysql_error() . "</p>");
exit();
}

if ($search_value != 0) {
if ($search_value / $search_value == 1) {
$where_condition = "schools.school_number = '$search_value'";
}
}
else {
$where_condition = "schools.name like '$search_value%' OR
schools.aka like '$search_value%' OR schools.name like
'%$search_value%' OR schools.aka like '%$search_value%'";
}

echo $search_value;
echo "<br>SELECT *, ceiling(read_scores/20) as read_stars,
ceiling(math_scores/20) as math_stars FROM schools WHERE " .
$where_condition . " ORDER BY borough ASC";

$result = db_query("SELECT *, ceiling(read_scores/20) as read_stars,
ceiling(math_scores/20) as math_stars FROM schools WHERE " .
$where_condition . " ORDER BY borough ASC", $link);
if (!$result) {
echo("<p>Error performing query: " . mysql_error() . "</p>");
exit();
}
</pre>


--
Scott Johnson
http://www.seaforthsailingclub.com
Oct 21 '05 #10

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

10 posts views Thread by Norman Bird | last post: by
10 posts views Thread by DaveFash | last post: by
6 posts views Thread by skgolden | last post: by
6 posts views Thread by Gary Miller | last post: by
7 posts views Thread by h7qvnk7q001 | last post: by
reply views Thread by mihailmihai484 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.