Weird Variable Problem

Ardenn · September 13, 2004, 01:20:27 PM

Maybe one of you can help me out here. Im not quite sure what Im doing wrong. Here is the complete code:


<?

//Database Variables

$hostname = "localhost";
$username = "root";
$password = "";

//Connecting to Database

MYSQL_CONNECT($hostname, $username, $password) or die ("DB connection unavailable");
MYSQL_SELECT_DB ('phone_dir') or die ("Unable to select to database");

//DECLARING GLOBALS
GLOBAL $grab,$sort,$_POST;


//declaring other variable
$i=0;
$metode1=$_POST['metode'];
$search1=$_POST['search'];

//declaring a function to query the database
function displayresults($metode,$search,$ordered)

  {
    //These variables are echoed for troubleshooting purposes
    echo $metode;
    echo '<Br>';
    echo $search;
    echo '<br>';
    echo $ordered;

    $result = mysql_query("SELECT * FROM all_swr WHERE $metode LIKE '%$search%' ORDER BY $ordered ASC") or die ('QUERY FAILED');
    while ($row = mysql_fetch_array($result))
                {
                  //ALTERNATE ROW COLOR
                  IF ($i % 2 == 0)
                    {
                     $bgcolor = "#CCFFCC";
                    }
                  ELSE
                    {
                     $bgcolor = "#DDDDDD";
                    }

                  //table listing results
                  echo '
                   <table>
                    <tr bgcolor='.$bgcolor.'>
                      <td width="100">'.$row["Lastname"].'</td>
                      <td width="100">'.$row["Firstname"].'</td>
                      <td width="81"><B>'.$row["Extension"].'</b></td>
                      <td width="141">'.$row["Site"].'</td>
                      <td width="143">'.$row["ADM_LDN"].'</td>
                    </tr>
                  </table>';
                  $i++;
                 }
  }

//Processing the main form
IF ($grab==1)
    {
    //Display the form again and display the top of results table
    ECHO '
             <table width="95%" border="0" cellspacing="0" cellpadding="4" bgcolor="#CCCCCC">
                <tr>
                  <td height="16" bgcolor="#0099CC"><font size="3"><b>Southwest Division Phone Directory Search</b></font></td>
                </tr>
              </table>

               <br>

              <center>

               <table width="300" height="67" border="4" cellpadding="0" cellspacing="0">
                 <tr>
                   <td width="290" bordercolor="#000000"><p align="center">
                     <form method="post" action="http://127.1.1.1/test.php?grab=1">
                     <select name="metode" size="1">
                       <option value="FirstName">First Name</option>
                       <option value="LastName" selected>Last Name</option>
                       <option value="Extension">Extension</option>
                     </select>

                     <input type="text" name="search" size="25">
                     <br>
                     Search database: <input type="submit" value="Go!!" name="Go"></form>
                   </td>
                 </tr>
               </table>

             <table>
               <tr>
                <td width="100" bgcolor="#999999"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=1">Lastname</u></b></div></td>
                <td width="100" bgcolor="#999999"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=2">Firstname</u></b></div></td>
                <td width="81" bgcolor="#CCCCCC"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=3">Extension</u></b></div></td>
                <td width="141" bgcolor="#999999"><div align="center"><strong><u><a href="http://127.1.1.1/test.php?grab=1;sort=4">Site</u></strong></div></td>
                <td width="143" bgcolor="#999999"><div align="center"><strong><u><a href="http://127.1.1.1/test.php?grab=1;sort=5">Admin #</u></strong></div></td>
              </tr>
            </table>';
    
    
    // IF Statement to allow sort function to work
    IF ($sort==1)
        {
        displayresults($metode1,$search1,"Lastname");
        }
    ELSEIF ($sort==2)
        {
        displayresults($metode1,$search1,"Firstname");
        }
    ELSEIF ($sort==3)
        {
        displayresults($metode1,$search1,"Extension");
        }
    ELSEIF ($sort==4)
        {
        displayresults($metode1,$search1,"Site");
        }
    ELSEIF ($sort==5)
        {
        displayresults($metode1,$search1,"Admin");
        }
    ELSE
        {
        displayresults($metode1,$search1,"Site");
        }
    }

//DISPLAYS THE FORM BEFORE QUERY
ELSE
    {
    
    echo '
    <table width="95%" border="0" cellspacing="0" cellpadding="4" bgcolor="#CCCCCC">
      <tr>
        <td height="16" bgcolor="#0099CC"><span class="style2">Southwest Division Phone Directory Search</span></td>
      </tr>
    </table>
    
     <br>

    <center>

     <table width="300" height="67" border="4" cellpadding="0" cellspacing="0">
       <tr>
         <td width="290" bordercolor="#000000"><p align="center">
           <form method="post" action="http://127.1.1.1/test.php?grab=1">
           <select name="metode" size="1">
             <option value="FirstName">First Name</option>
             <option value="LastName" selected>Last Name</option>
             <option value="Extension">Extension</option>
           </select>

           <input type="text" name="search" size="25">
           <br>
           Search database: <input type="submit" value="Go!!" name="Go"></form>
         </td>
       </tr>
     </table>

       <p align="right"><img src="phone-handset.jpg" width="199" height="225" align="right"></p>
       <P align="left"><A name=and><B><FONT face="Arial, sans-serif" color=#003399>Searches</FONT></B></A>
       <P align="left" class=indent><span class="style3"><FONT size=-1>The SWR search engine </FONT><FONT size=-1> ignores common words and characters such as "where" and "how" as they tend not to be real people-like names. If you do not provide sufficient search criteria, your search may yield too much information so please, keep it simple and spell it right. </FONT></span></P>
       <P align="left"><A name=and><B><FONT face="Arial, sans-serif" color=#003399>Other </FONT></B><FONT face="Arial, sans-serif" color=#003399>Advanced <B>Search Features</B></FONT></A> </P>
       <div align="left">

       <LI><FONT size=-1><B>First Name :</B> Specify the FIRST name of the person for which you are searching. </FONT>
       <LI><FONT size=-1><B>Last Name: </B> Specify the LAST name of the person for which you are searching. </FONT>
       <LI><FONT size=-1><B>Extension: </B>You can reverse search on extension to return the associate user of the extension.</FONT>';
     }
?>

The problem is in passing two variables. $metode1 and $search1 are given value by the form and passed to the displayresults function initially by the $_POST function. However, when I try to sort by different fields in the database by using the IF/ELSE statement, I lose the values in those two variables and as a result the displayresults function fails. Im not quite sure why those variables lose there value and what can I do to make them retain it?

Any ideas?

[Unknown] · September 13, 2004, 11:51:06 PM

Umm, you don't want to know how insecure that is....

-[Unknown]

Parham · September 14, 2004, 12:21:08 AM

LOL@Unknown, it's not as insecure as you think it is. the variables aren't blindly being used like with register_globals.

why do you assign the $_POST values to regular values... instead, just call the function and use $_POST right in the function.

I also don't think you understand how this works:

Code Select


//DECLARING GLOBALS
GLOBAL $grab,$sort,$_POST;

the "global" keyword should be used inside a function. when it is used inside a function, it means that those variables should be taken out of the global scope (not the function scope). using "global" in the global scope means nothing (plus $_POST is already a superglobal which means it's defined EVERYWHERE).

[Unknown] · September 14, 2004, 01:54:46 AM

Parham, I don't know that you realize how insecure it is.... realize that I can easily fake post data. I could make that script think I'm posting from it, when I'm really posting with my own values. My own values with values that I couldn't post using that form.

.....

As long as he's on MySQL 4 or higher, I'll get his password and ID_MEMBER, from which I may be able to gain privileges I shouldn't have to his forum. Obviously this is just an example, but it shows why you don't just do this:

mysql_query("$_POST[hack_me_please]");

This post and the information contained within will self-terminate in not too long

.

-[Unknown]

Parham · September 14, 2004, 09:39:47 AM

Quote from: [Unknown] on September 14, 2004, 01:54:46 AM
Parham, I don't know that you realize how insecure it is.... realize that I can easily fake post data. I could make that script think I'm posting from it, when I'm really posting with my own values. My own values with values that I couldn't post using that form.

...

As long as he's on MySQL 4 or higher, I'll get his password and ID_MEMBER, from which I may be able to gain privileges I shouldn't have to his forum. Obviously this is just an example, but it shows why you don't just do this:

mysql_query("$_POST[hack_me_please]");

This post and the information contained within will self-terminate in not too long .

-[Unknown]

when you said insecure... it sounded like you could make the system explode and the country drown LOL... give the man a little credit. you are right though, he should make his sql statements a little less variable and a little more constant. of course i'm not a wiz at security, which is why i come scrambling here when i have questions or concerns so.... Ardenn, listen to [Unknown] as he doesn't talk out of his ass like I do ^^.

Ardenn · September 14, 2004, 10:33:09 AM

Guys, Im not using this in conjunction with SMF. In fact Im using it on a stand alone test server where the only database is phone_dir and the only table is all_swr. I see your point about being insecure though. I will rearrange the script and try to make the query a little more constant.

Now.... About my question..

Quotewhy do you assign the $_POST values to regular values... instead, just call the function and use $_POST right in the function.

So you mean something like this?

Code Select

displayresults($_POST['metode'],$_POST['search'],"Site");

instead of using the variable $metode1? If this is what you mean, I did this, but I still lost the values for $_POST['metode'] and $_POST['search'] any ideas?

Also:

QuoteI also don't think you understand how this works:

Code Select Expand
//DECLARING GLOBALS GLOBAL $grab,$sort,$_POST;

the "global" keyword should be used inside a function. when it is used inside a function, it means that those variables should be taken out of the global scope (not the function scope). using "global" in the global scope means nothing (plus $_POST is already a superglobal which means it's defined EVERYWHERE).

I was under the impression that it made the variables $grab and $sort global variables so that I could use:

Code Select


IF ($grab==X){}

instead of having to use:

Code Select


IF($_GET['grab']==X){}

Also thats good to know that I don't have to add $_POST as a global. I didnt know that!

Ardenn · September 14, 2004, 05:21:27 PM

This is how I solved my problem:

Code Select

//Display the top of results table
    ECHO '   <table>
               <tr>
                <td width="100" bgcolor="#999999"><div align="center"><b><u><a href="'.htmlspecialchars("http://test_site11/test.php?sort=1&metode=".urlencode($metode)."&search=".urlencode($search)).'">Lastname</u></b></div></td>
                <td width="100" bgcolor="#999999"><div align="center"><b><u><a href="'.htmlspecialchars("http://test_site11//test.php?sort=2&metode=".urlencode($metode)."&search=".urlencode($search)).'">Firstname</u></b></div></td>
                <td width="81" bgcolor="#CCCCCC"><div align="center"><b><u><a href="'.htmlspecialchars("http://test_site11/test.php?sort=3&metode=".urlencode($metode)."&search=".urlencode($search)).'">Extension</u></b></div></td>
                <td width="141" bgcolor="#999999"><div align="center"><strong><u><a href="'.htmlspecialchars("http://test_site11/test.php?sort=4&metode=".urlencode($metode)."&search=".urlencode($search)).'">Site</u></strong></div></td>
                <td width="143" bgcolor="#999999"><div align="center"><strong><u><a href="'.htmlspecialchars("http://test_site11/test.php?sort=5&metode=".urlencode($metode)."&search=".urlencode($search)).'">Admin #</u></strong></div></td>
              </tr>
            </table>';

Parham · September 14, 2004, 06:41:22 PM

$_POST, $_GET, and all those other variables exist EVERYWHERE... you don't need to pass them into functions... just call the function and use them

. they're superglobals because they exist both in the global scope and in the private scope of functions.

Ardenn · September 14, 2004, 08:09:47 PM

Quote from: Parham on September 14, 2004, 06:41:22 PM
$_POST, $_GET, and all those other variables exist EVERYWHERE... you don't need to pass them into functions... just call the function and use them . they're superglobals because they exist both in the global scope and in the private scope of functions.

Parham,

Thats why I titled this message, "Weird Variable Problem" Here is the situation. I pass data to the function from the form using $_POST and everything works like a charm. Then I reload the script, saying that I want the $ordered variable to change.

<table>
               <tr>
                <td width="100" bgcolor="#999999"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=1">Lastname</u></b></div></td>
                <td width="100" bgcolor="#999999"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=2">Firstname</u></b></div></td>
                <td width="81" bgcolor="#CCCCCC"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=3">Extension</u></b></div></td>
                <td width="141" bgcolor="#999999"><div align="center"><strong><u><a href="http://127.1.1.1/test.php?grab=1;sort=4">Site</u></strong></div></td>
                <td width="143" bgcolor="#999999"><div align="center"><strong><u><a href="http://127.1.1.1/test.php?grab=1;sort=5">Admin #</u></strong></div></td>
              </tr>
            </table>';

Now when I do that, the $_POST and $_GET variable values disappear. So my query now has no idea what value $metode is and what value $search is, therefore failing. Just calling the $_POST and $_GET variables didnt solve the problem because they became empty when I reran the script with the above code. So what I found that I had to do was use the URLENCODE($VARIABLE); function to fake a $_GET variable from the browser. This allowed me to still use $_GET/$_POST/$_REQUEST in the function and for them to retain their values.

News:

Weird Variable Problem