Maybe one of you can help me out here. Im not quite sure what Im doing wrong. Here is the complete code:
<?
//Database Variables
$hostname = "localhost";
$username = "root";
$password = "";
//Connecting to Database
MYSQL_CONNECT($hostname, $username, $password) or die ("DB connection unavailable");
MYSQL_SELECT_DB ('phone_dir') or die ("Unable to select to database");
//DECLARING GLOBALS
GLOBAL $grab,$sort,$_POST;
//declaring other variable
$i=0;
$metode1=$_POST['metode'];
$search1=$_POST['search'];
//declaring a function to query the database
function displayresults($metode,$search,$ordered)
{
//These variables are echoed for troubleshooting purposes
echo $metode;
echo '<Br>';
echo $search;
echo '<br>';
echo $ordered;
$result = mysql_query("SELECT * FROM all_swr WHERE $metode LIKE '%$search%' ORDER BY $ordered ASC") or die ('QUERY FAILED');
while ($row = mysql_fetch_array($result))
{
//ALTERNATE ROW COLOR
IF ($i % 2 == 0)
{
$bgcolor = "#CCFFCC";
}
ELSE
{
$bgcolor = "#DDDDDD";
}
//table listing results
echo '
<table>
<tr bgcolor='.$bgcolor.'>
<td width="100">'.$row["Lastname"].'</td>
<td width="100">'.$row["Firstname"].'</td>
<td width="81"><B>'.$row["Extension"].'</b></td>
<td width="141">'.$row["Site"].'</td>
<td width="143">'.$row["ADM_LDN"].'</td>
</tr>
</table>';
$i++;
}
}
//Processing the main form
IF ($grab==1)
{
//Display the form again and display the top of results table
ECHO '
<table width="95%" border="0" cellspacing="0" cellpadding="4" bgcolor="#CCCCCC">
<tr>
<td height="16" bgcolor="#0099CC"><font size="3"><b>Southwest Division Phone Directory Search</b></font></td>
</tr>
</table>
<br>
<center>
<table width="300" height="67" border="4" cellpadding="0" cellspacing="0">
<tr>
<td width="290" bordercolor="#000000"><p align="center">
<form method="post" action="http://127.1.1.1/test.php?grab=1">
<select name="metode" size="1">
<option value="FirstName">First Name</option>
<option value="LastName" selected>Last Name</option>
<option value="Extension">Extension</option>
</select>
<input type="text" name="search" size="25">
<br>
Search database: <input type="submit" value="Go!!" name="Go"></form>
</td>
</tr>
</table>
<table>
<tr>
<td width="100" bgcolor="#999999"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=1">Lastname</u></b></div></td>
<td width="100" bgcolor="#999999"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=2">Firstname</u></b></div></td>
<td width="81" bgcolor="#CCCCCC"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=3">Extension</u></b></div></td>
<td width="141" bgcolor="#999999"><div align="center"><strong><u><a href="http://127.1.1.1/test.php?grab=1;sort=4">Site</u></strong></div></td>
<td width="143" bgcolor="#999999"><div align="center"><strong><u><a href="http://127.1.1.1/test.php?grab=1;sort=5">Admin #</u></strong></div></td>
</tr>
</table>';
// IF Statement to allow sort function to work
IF ($sort==1)
{
displayresults($metode1,$search1,"Lastname");
}
ELSEIF ($sort==2)
{
displayresults($metode1,$search1,"Firstname");
}
ELSEIF ($sort==3)
{
displayresults($metode1,$search1,"Extension");
}
ELSEIF ($sort==4)
{
displayresults($metode1,$search1,"Site");
}
ELSEIF ($sort==5)
{
displayresults($metode1,$search1,"Admin");
}
ELSE
{
displayresults($metode1,$search1,"Site");
}
}
//DISPLAYS THE FORM BEFORE QUERY
ELSE
{
echo '
<table width="95%" border="0" cellspacing="0" cellpadding="4" bgcolor="#CCCCCC">
<tr>
<td height="16" bgcolor="#0099CC"><span class="style2">Southwest Division Phone Directory Search</span></td>
</tr>
</table>
<br>
<center>
<table width="300" height="67" border="4" cellpadding="0" cellspacing="0">
<tr>
<td width="290" bordercolor="#000000"><p align="center">
<form method="post" action="http://127.1.1.1/test.php?grab=1">
<select name="metode" size="1">
<option value="FirstName">First Name</option>
<option value="LastName" selected>Last Name</option>
<option value="Extension">Extension</option>
</select>
<input type="text" name="search" size="25">
<br>
Search database: <input type="submit" value="Go!!" name="Go"></form>
</td>
</tr>
</table>
<p align="right"><img src="phone-handset.jpg" width="199" height="225" align="right"></p>
<P align="left"><A name=and><B><FONT face="Arial, sans-serif" color=#003399>Searches</FONT></B></A>
<P align="left" class=indent><span class="style3"><FONT size=-1>The SWR search engine </FONT><FONT size=-1> ignores common words and characters such as "where" and "how" as they tend not to be real people-like names. If you do not provide sufficient search criteria, your search may yield too much information so please, keep it simple and spell it right. </FONT></span></P>
<P align="left"><A name=and><B><FONT face="Arial, sans-serif" color=#003399>Other </FONT></B><FONT face="Arial, sans-serif" color=#003399>Advanced <B>Search Features</B></FONT></A> </P>
<div align="left">
<LI><FONT size=-1><B>First Name :</B> Specify the FIRST name of the person for which you are searching. </FONT>
<LI><FONT size=-1><B>Last Name: </B> Specify the LAST name of the person for which you are searching. </FONT>
<LI><FONT size=-1><B>Extension: </B>You can reverse search on extension to return the associate user of the extension.</FONT>';
}
?>
The problem is in passing two variables. $metode1 and $search1 are given value by the form and passed to the displayresults function initially by the $_POST function. However, when I try to sort by different fields in the database by using the IF/ELSE statement, I lose the values in those two variables and as a result the displayresults function fails. Im not quite sure why those variables lose there value and what can I do to make them retain it?
Any ideas?
Umm, you don't want to know how insecure that is....
-[Unknown]
LOL@Unknown, it's not as insecure as you think it is. the variables aren't blindly being used like with register_globals.
why do you assign the $_POST values to regular values... instead, just call the function and use $_POST right in the function.
I also don't think you understand how this works:
//DECLARING GLOBALS
GLOBAL $grab,$sort,$_POST;
the "global" keyword should be used inside a function. when it is used inside a function, it means that those variables should be taken out of the global scope (not the function scope). using "global" in the global scope means nothing (plus $_POST is already a superglobal which means it's defined EVERYWHERE).
Parham, I don't know that you realize how insecure it is.... realize that I can easily fake post data. I could make that script think I'm posting from it, when I'm really posting with my own values. My own values with values that I couldn't post using that form.
.....
As long as he's on MySQL 4 or higher, I'll get his password and ID_MEMBER, from which I may be able to gain privileges I shouldn't have to his forum. Obviously this is just an example, but it shows why you don't just do this:
mysql_query("$_POST[hack_me_please]");
This post and the information contained within will self-terminate in not too long :P ;).
-[Unknown]
Quote from: [Unknown] on September 14, 2004, 01:54:46 AM
Parham, I don't know that you realize how insecure it is.... realize that I can easily fake post data. I could make that script think I'm posting from it, when I'm really posting with my own values. My own values with values that I couldn't post using that form.
...
As long as he's on MySQL 4 or higher, I'll get his password and ID_MEMBER, from which I may be able to gain privileges I shouldn't have to his forum. Obviously this is just an example, but it shows why you don't just do this:
mysql_query("$_POST[hack_me_please]");
This post and the information contained within will self-terminate in not too long :P ;).
-[Unknown]
when you said insecure... it sounded like you could make the system explode and the country drown LOL... give the man a little credit. you are right though, he should make his sql statements a little less variable and a little more constant. of course i'm not a wiz at security, which is why i come scrambling here when i have questions or concerns so.... Ardenn, listen to [Unknown] as he doesn't talk out of his ass like I do ^^.
Guys, Im not using this in conjunction with SMF. In fact Im using it on a stand alone test server where the only database is phone_dir and the only table is all_swr. I see your point about being insecure though. I will rearrange the script and try to make the query a little more constant.
Now.... About my question..
Quotewhy do you assign the $_POST values to regular values... instead, just call the function and use $_POST right in the function.
So you mean something like this?
displayresults($_POST['metode'],$_POST['search'],"Site");instead of using the variable $metode1? If this is what you mean, I did this, but I still lost the values for $_POST['metode'] and $_POST['search'] any ideas?
Also:
QuoteI also don't think you understand how this works:
//DECLARING GLOBALS
GLOBAL $grab,$sort,$_POST;
the "global" keyword should be used inside a function. when it is used inside a function, it means that those variables should be taken out of the global scope (not the function scope). using "global" in the global scope means nothing (plus $_POST is already a superglobal which means it's defined EVERYWHERE).
I was under the impression that it made the variables $grab and $sort global variables so that I could use:
IF ($grab==X){}
instead of having to use:
IF($_GET['grab']==X){}
Also thats good to know that I don't have to add $_POST as a global. I didnt know that!
This is how I solved my problem:
//Display the top of results table
ECHO ' <table>
<tr>
<td width="100" bgcolor="#999999"><div align="center"><b><u><a href="'.htmlspecialchars("http://test_site11/test.php?sort=1&metode=".urlencode($metode)."&search=".urlencode($search)).'">Lastname</u></b></div></td>
<td width="100" bgcolor="#999999"><div align="center"><b><u><a href="'.htmlspecialchars("http://test_site11//test.php?sort=2&metode=".urlencode($metode)."&search=".urlencode($search)).'">Firstname</u></b></div></td>
<td width="81" bgcolor="#CCCCCC"><div align="center"><b><u><a href="'.htmlspecialchars("http://test_site11/test.php?sort=3&metode=".urlencode($metode)."&search=".urlencode($search)).'">Extension</u></b></div></td>
<td width="141" bgcolor="#999999"><div align="center"><strong><u><a href="'.htmlspecialchars("http://test_site11/test.php?sort=4&metode=".urlencode($metode)."&search=".urlencode($search)).'">Site</u></strong></div></td>
<td width="143" bgcolor="#999999"><div align="center"><strong><u><a href="'.htmlspecialchars("http://test_site11/test.php?sort=5&metode=".urlencode($metode)."&search=".urlencode($search)).'">Admin #</u></strong></div></td>
</tr>
</table>';
$_POST, $_GET, and all those other variables exist EVERYWHERE... you don't need to pass them into functions... just call the function and use them :). they're superglobals because they exist both in the global scope and in the private scope of functions.
Quote from: Parham on September 14, 2004, 06:41:22 PM
$_POST, $_GET, and all those other variables exist EVERYWHERE... you don't need to pass them into functions... just call the function and use them :). they're superglobals because they exist both in the global scope and in the private scope of functions.
Parham,
Thats why I titled this message, "Weird Variable Problem" Here is the situation. I pass data to the function from the form using $_POST and everything works like a charm. Then I reload the script, saying that I want the $ordered variable to change.
<table>
<tr>
<td width="100" bgcolor="#999999"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=1">Lastname</u></b></div></td>
<td width="100" bgcolor="#999999"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=2">Firstname</u></b></div></td>
<td width="81" bgcolor="#CCCCCC"><div align="center"><b><u><a href="http://127.1.1.1/test.php?grab=1;sort=3">Extension</u></b></div></td>
<td width="141" bgcolor="#999999"><div align="center"><strong><u><a href="http://127.1.1.1/test.php?grab=1;sort=4">Site</u></strong></div></td>
<td width="143" bgcolor="#999999"><div align="center"><strong><u><a href="http://127.1.1.1/test.php?grab=1;sort=5">Admin #</u></strong></div></td>
</tr>
</table>';
Now when I do that, the $_POST and $_GET variable values disappear. So my query now has no idea what value $metode is and what value $search is, therefore failing. Just calling the $_POST and $_GET variables didnt solve the problem because they became empty when I reran the script with the above code. So what I found that I had to do was use the URLENCODE($VARIABLE); function to fake a $_GET variable from the browser. This allowed me to still use $_GET/$_POST/$_REQUEST in the function and for them to retain their values.