...

View Full Version : Entire database shows up with search



Kevin_M_Schafer
11-29-2011, 11:16 PM
I can't correct my subject line: I meant to say "Entire table contents shows up with search." Sorry.

I'm a bit lost. I've been tweaking here and there trying to get my search to work properly and I'm really puzzled.

My searchbox works. It produces a result in an iframe on the same page just the way it should, but here's the head scratcher: no matter what's typed in the searchbox, all the data from my entire table comes up in the iframe.

Now I've heard about mysql injection and that throws another question into the mix.

Any help would be greatly appreciated as to why my specific word search doesn't show just one word and its definition.:)

This is my searchbox code:


<div><form style="margin: 0px;" method="get" action="search.php" target="results_frame"><input class="searchbox" onfocus="if (this.defaultValue==this.value) this.value='';" name="query" value="enter a word "/></form></div>
<div class="results"><iframe name="results_frame" src="" width="752" frameborder="1" height="100" scrolling="auto"></iframe></div>


This is my search.php code:


<?php

mysql_connect ("host", "username","password") or die (mysql_error());
mysql_select_db ("database");

$term = $_POST['term']; $sql = mysql_query("select * from wordtest where Word like '%$term%'");

while ($row = mysql_fetch_array($sql)){
echo '<br/>'.$row['Word']; echo ' <br/><br/>Speech: '.$row['Speech']; echo ' | Definition: '.$row['Definition']; echo '<br/>';
}

?>

Old Pedant
11-30-2011, 01:12 AM
method="get"

versus


$term = $_POST['term'];

Change one or the other of those.

When you send the data to PHP using "get", then *ALL* $_POST data will be blank.

And so you end up doing "... WHERE Word like '%%' and quite properly you get back all records.

Kevin_M_Schafer
11-30-2011, 04:16 AM
I changed a few things, but I'm still not understanding what I have wrong. All the content of my table is still being displayed in the results -- regardless of what entry is made in the searchbox.

Is any of my code unnecessary? I've been tweaking it so much, I've lost track of where I started.



<div><form method="post" action="search.php" target="results_frame"><input class="searchbox" onfocus="if (this.defaultValue==this.value) this.value='';" name="query" value="enter a word "/></form></div>

<div class="results"><iframe name="results_frame" src="" width="752" frameborder="0" height="100" scrolling="auto"></iframe></div>




$term = $_POST['term']; $sql = mysql_query("select * from wordtest where Word like '%$term%'");
while ($row = mysql_fetch_array($sql))
{
echo '<br/>'.$row['Word']; echo ' <br/><br/>Speech: '.$row['Speech']; echo ' | Definition: '.$row['Definition']; echo '<br/>';
}

Old Pedant
11-30-2011, 05:22 AM
I don't see anything in your <form> that will *SUBMIT* the <form>. WHere is that being done from???

Why do you hate using line breaks in your code? It makes the code so much harder to read. It has *NO* impact on the speed of the code.



<div>
<form method="post" action="search.php" target="results_frame">
<input class="searchbox" onfocus="if (this.defaultValue==this.value) this.value='';"
name="query" value="enter a word "/>
</form>
</div>

See? Nothing showing there that will *ever* submit that form.

So I don't know how you get any results at all in your iframe.

For the PHP code, try a tiny bit of DEBUG DEBUG DEBUG.


$term = $_POST['term'];
echo "DEBUG term is " . $term . "<hr/>\n";

$sqltext = "select * from wordtest where Word like '%$term%'";
echo "DEBUG SQL is " . $sqltext . "<hr/>]n";

$sql = mysql_query( $sqltext );
...

Kevin_M_Schafer
11-30-2011, 02:31 PM
Users hit the enter key to sumbit the search. I thought it was a good idea with many of the social sites doing it nowadays.

http://www.theeagleextra.com/wordic/wordic.shtml

Old Pedant
11-30-2011, 08:07 PM
Oh, okay. Not sure that works in all browsers. An easy way to make sure it does is add an onchange to the text field:


<form method="post" action="search.php" target="results_frame">
<input class="searchbox" onfocus="if (this.defaultValue==this.value) this.value='';"
onchange="this.form.submit();"
name="query" value="enter a word "/>
</form>

Anyway, what did the DEBUG in the PHP code show you?

Kevin_M_Schafer
11-30-2011, 09:56 PM
Hi Old Pedant,

Your DEBUG showed the following result:


DEBUG term is
--------------------------------------------------------------------------------
DEBUG SQL is select * from wordtest where Word like '%%'
--------------------------------------------------------------------------------
]n


Speech: | Definition:


I added your DEBUG to my php code. I wasn't sure if I was to replace mine with yours.


$term = $_POST['term']; $sql = mysql_query("select * from wordtest where Word like '%$term%'");
while ($row = mysql_fetch_array($sql))
$term = $_POST['term'];
echo "DEBUG term is " . $term . "<hr/>\n";

$sqltext = "select * from wordtest where Word like '%$term%'";
echo "DEBUG SQL is " . $sqltext . "<hr/>]n";

$sql = mysql_query( $sqltext );
{
echo '<br/>'.$row['Word']; echo ' <br/><br/>Speech: '.$row['Speech']; echo ' | Definition: '.$row['Definition']; echo '<br/>';
}

?>

At this point in my knowledge of php and mySQL, I don't know what this result means. That's where I need your help.

Thanks for the onchange.

Please help if you can. I really appreciate your time.

Kevin_M_Schafer
11-30-2011, 10:01 PM
Here is the result with your php DEBUG code replacing my php completely:


DEBUG term is
--------------------------------------------------------------------------------
DEBUG SQL is select * from wordtest where Word like '%%'
--------------------------------------------------------------------------------
]n


Speech: | Definition:

BluePanther
11-30-2011, 10:26 PM
Can't believe I didn't notice this earlier!

Your text box is called query, but you're looking for $_POST['term'] which refers to an element named 'term'. Change $term to equal $_POST['query'].


// Assign term and escape it
$term = mysql_real_escape_string($_POST['query']);


echo "DEBUG term is " . $term . "<hr/>\n";

$sqltext = "select * from wordtest where Word like '%$term%'";
echo "DEBUG SQL is " . $sqltext . "<hr/>]n";

$sql = mysql_query( $sqltext );
while ($row = mysql_fetch_array($sql)){
echo '<br/>'.$row['Word']; echo ' <br/><br/>Speech: '.$row['Speech'];
echo ' | Definition: '.$row['Definition']; echo '<br/>';
}

?>

Old Pedant
12-01-2011, 12:06 AM
LOL! And I even re-typed his entire <input> and didn't notice that!

SHEESH!

Kevin_M_Schafer
12-01-2011, 12:08 AM
BluePanther,

You did it! This really makes my day. It works!

I only have about 40 lines of data uploaded so far, all for the letter Z.

If you want to try it, you can type in zip, zulu, zone, zebrula, zarf.

I will be uploading 150,000 lines (approximately) soon.

I will be working on styling and "no records found" reply for an empty result. This is great.

Thanks to Old Pedant, too. You guys are what makes CodingForums great.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum