Search Term Not Passing to Output Form

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have a search form from which I hope to be able to select a record by
field JobNumber and display it with an output form titled test.php

    <title>Job Database Search</title>
<body style='font-family: Geneva, Arial, Helvetica, sans-serif;'>
    Enter Job Number:
    <form action="test.php" method="post">
        <input type="text" name="searchterm">
        <input type="submit" name="Send">

The query on the output form (test.php) is as follows and returns a blank

        $query="select * from jobs where JobNumber like '$searchterm'";  

The problem I'm having is that the searchterm variable does not appear to
be passing to the output form. I know that I am connecting to the database
and that the query is fundamentally correct because I can access the record
I want by substituting a real Job Number for the variable.

Any ideas?

Re: Search Term Not Passing to Output Form

Quoted text here. Click to load it

The first troubleshooting step anytime you are creating SQL strings
programmatically is to output the finished SQL string.  This allows you to
spot unbalanced quotes, unanticipated whitespace, etc.

BTW, the example you give above is a classic "SQL injection" security flaw.
What happens if a malicious user enters a string into your input form such

  nomatch'; delete from jobs;

Another troubleshooting method is to cut & paste the finished $query string
into the mysql client (or MySQL Query Browser) and see if that statement
produces the query results you intend.

Also, make sure your PHP code tests for error status returned from the query
execution, and displays any error messages to the HTML output.

Bill K.

Re: Search Term Not Passing to Output Form

On Wed, 04 Jan 2006 17:33:52 +0000, Bob Sanderson wrote:
Quoted text here. Click to load it

First off, re-read Bill's advice even if you've already read it - it's
very important.

Do you have "register_globals" turned on?

It's not set by default on PHP now (and it's not a good idea either) so
you should be using the new superglobals:

$query="select * from jobs where JobNumber like '$_POST[searchterm]'";

Actually that isn't absolutely correct (as searchterm could be define()d
to be something else), but it's what 99.9% of PHP programmers use and is
fine as long as you are aware of defines.



Andy Jeffries                 | gPHPEdit Lead Developer | PHP editor for Gnome 2 | Personal site and photos

Site Timeline