Problems finding and passing php and mysql variables
I have the following code:
http://www.nomorepasting.com/getpaste.php?pasteid=22615
What is caused by the javascript mentioned in this question :
My problem is that I can't seem to be able to pass $ query as nothing happens when I call this file by itself.
I'm not sure what is the best way to control the flow of information. Is my logic ok? Passing a request via javascript to a php file and then returning it with a function?
I am also worried about using $ rows as it doesn't seem to be necessary.
source to share
In the code you linked to, I can't see where $ searchString is being declared? In the above PHP, I see these two separate sections:
$query ='';
if (isset($_GET["query"]))
$query = $_GET["query"];
and the code you execute later on the page is
$table = 'Auctions';
$rows = getRowsByArticleSearch($searchString, $table);
Nowhere, as far as I can see in the code, is $ searchString declared. The big problem, however, is that you are not deactivating your query string before executing it. For security reasons, I would at least replace:
$result = mysql_query("SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME
FROM {$table}
WHERE upper ARTICLE_NAME LIKE '%" . $searchString . "%'");
from
$result = mysql_query("SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME
FROM {$table}
WHERE upper ARTICLE_NAME LIKE '%" . mysql_real_escape_string($searchString) . "%'");
You should also check if magic quotes are included to avoid double escaping.
source to share