0

I have the following code:

http://www.nomorepasting.com/getpaste.php?pasteid=22615

Which is called by the javascript mentioned in this question:

My problem is that I do not seem to be able to pass $query, as in nothing seemingly happens when I call this file by itself.

I am unsure what the best way to control the flow of information is. Is my logic ok? Passing the query through javascript to the php file, and then returning it with the function?

I am also concerned about my use of $rows, as it does not seem to be required.

Improve this question

2 Answers 2

Reset to default
1

I think you want to replace this (line 36):

$rows = getRowsByArticleSearch($searchString, $table);

with this:

$rows = getRowsByArticleSearch($query, $table);

And for security concerns, the least you should do is the mysql_real_escape_string stuff from spelley's post.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

In the code you linked to, I do not see where $searchString is declared? In the aforementioned PHP, I see these two separate sections:

$query ='';
if (isset($_GET["query"]))
$query = $_GET["query"];

and the code you are executing later on down the page is

$table = 'Auctions';
$rows = getRowsByArticleSearch($searchString, $table);

Nowhere, as far as I can see in the code, is $searchString ever declared. A larger concern, however, is that you are not sanitizing your query string before executing it. For security's sake, I would at least replace:

$result = mysql_query("SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME 
                       FROM {$table} 
                       WHERE upper ARTICLE_NAME LIKE '%" . $searchString . "%'");

with

$result = mysql_query("SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME 
                       FROM {$table} 
                       WHERE upper ARTICLE_NAME LIKE '%" . mysql_real_escape_string($searchString) . "%'");

You should also check whether magic quotes is turned on, to avoid double-escaping.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.