Posted by dkirkdrei on 07/26/06 00:46

Eric Farraro wrote:
> For starters, it doesn't appear that you are actually assigning the
> variables you are using in your search queries.
>
> Look at your form -- since you are using the GET method, in your PHP
> file, you should have something like:
>
> $variable_name = $_GET['some_variable'].
>
> 'some_variable' corresponds to the 'name' attribute of some input
> field.
>
> I don't know if your DB connection, etc... is correct, but you
> definitely need to assign the variables you're using in your search
> using the $_GET variable. If you do something like: print_r($_GET);,
> you can get an idea of what is contained in $_GET.
>
> On another note, this is probably more advanced than you care to know,
> but the method you are using your queries is considered EXTREMELY
> dangerous for an online application. Since the user can type whatever
> they want, someone wishing to cause trouble could log in to your site
> without a valid password (assuming you have a login page), drop tables,
> etc... Very bad stuff. If you're just playing around locally, it's
> not a problem, but if you plan to move your code to an online page,
> consider reading up on SQL Injection Attacks.

thanks for the reply. This query form will be used on my company's
intranet only but I appreciate the info. I have added the code that you
suggested but I still recieve the same result. my return page contains
my logo and my table with the headers but no return results even though
I know that the criteria in which I am entering resides in the
database. I searched the php.net site but could not find any info on
the commands that you suggested?? I also went back and corrected some
typo's, my php code now looks like this:

<?
$connect = odbc_connect('wusain', 'root', '');
extract($_REQUEST);
$variable_name = $_GET('some_variable');
if (!$connect)
{
echo "couldn't connect";
exit;
}
?>
<HTML>
<HEAD>
<TITLE>InfoNet</TITLE>
</HEAD>
<BODY BGCOLOR= "3399CC">
<table>
<tr><td><IMG SRC=logo.JPG align=left hspace=20 height=150></td>
<td><h1>WUSA<br> InfoNet</h1></td><td align=left>
</table>
<?
$query1 = "SELECT * FROM info WHERE machtyp LIKE '%$machtyp1%'";
$query2 = "SELECT * FROM info WHERE wpart LIKE '$wpart1%'";
$query3 = "SELECT * FROM info WHERE desc LIKE '%$desc1%'";
$query4 = "SELECT * FROM info WHERE mfgpart LIKE '%$mfgpart1%'";
$query5 = "SELECT * FROM info WHERE mfg LIKE '%$mfg1%'";
if (!empty($machtyp1))
{
$result = odbc_exec($connect, $query1);
}
if (!empty($wpart1))
{
$result = odbc_exec($connect, $query2);
}
if (!empty($desc1))
{
$result = odbc_exec($connect, $query3);
}
if (!empty($mfgpart1))
{
$result = odbc_exec($connect, $query4);
}
if (!empty($mfg1))
{
$result = odbc_exec($connect, $query5);
}
$reply=odbc_fetch_row($result);
while ($reply)
{
$reply=odbc_fetch_row($result);
}
{
$machtyp = odbc_result($result, 1);
$wpart = odbc_result($result, 2);
$desc = odbc_result($result, 3);
$mfgpart = odbc_result($result, 4);
$mfg = odbc_result($result, 5);
$dwg = odbc_result($result, 6);
?>
<table border=1><tr bgcolor=darkgray>
<th>Machine Type</th>
<th>W Part#</th>
<th>Description</th>
<th>Mfg Part #</th>
<th>Manufacturer</th>
<th>Drawing</th></tr>
<tr bgcolor=white>
<td><?echo $machtyp;?></td>
<td><?echo $wpart;?></td>
<td><?echo $desc;?></td>
<td><?echo $mfgpart;?></td>
<td><?echo $mfg;?></td>
<td><a href= "<? echo $dwg;?>"><? echo $dwg;?></a></td>
</tr>
<?
}
?>
</table>
</body>
</html>

• Next in forum: Re: FastCGI and DB connections / global variables?
• Prev in forum: Re: What's a good program for managing a mixed html-PHP site?
• Thread view: Re: Newbie? html form to php to ODBC

[Reply to this message]