Clever Geek Handbook

Problems finding and passing php and mysql variables

I have the following code:

http://www.nomorepasting.com/getpaste.php?pasteid=22615

What is caused by the javascript mentioned in this question :

My problem is that I can't seem to be able to pass $ query as nothing happens when I call this file by itself.

I'm not sure what is the best way to control the flow of information. Is my logic ok? Passing a request via javascript to a php file and then returning it with a function?

I am also worried about using $ rows as it doesn't seem to be necessary.

0


source to share


2 answers


I think you want to replace this (line 36):

$rows = getRowsByArticleSearch($searchString, $table);

with this:



$rows = getRowsByArticleSearch($query, $table);

And for security reasons the least you need to do is the mysql_real_escape_string stuff from spelley's post.

+1


source


In the code you linked to, I can't see where $ searchString is being declared? In the above PHP, I see these two separate sections:

$query ='';
if (isset($_GET["query"]))
$query = $_GET["query"];

and the code you execute later on the page is

$table = 'Auctions';
$rows = getRowsByArticleSearch($searchString, $table);

Nowhere, as far as I can see in the code, is $ searchString declared. The big problem, however, is that you are not deactivating your query string before executing it. For security reasons, I would at least replace:



$result = mysql_query("SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME 
                       FROM {$table} 
                       WHERE upper ARTICLE_NAME LIKE '%" . $searchString . "%'");

from

$result = mysql_query("SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME 
                       FROM {$table} 
                       WHERE upper ARTICLE_NAME LIKE '%" . mysql_real_escape_string($searchString) . "%'");

You should also check if magic quotes are included to avoid double escaping.

0


source






More articles:


All Articles