php form info...

Re: php form info...

Hi,

The following prints

* info *

on the screen for me. If you want to send the code, I'll have a look at
it.

Ian

<html>
<head>
<title></title>
</head>
<body>
<?php

if(isset($_POST['fieldname'])) echo "* {$_POST['fieldname']} *";

?>
<form method="post">
<input type='text' name='fieldname '>
<input type='submit'>
</form>
</body>
</html>

Re: php form info...

I tried and had no issue with $_POST[].
Have you tried print_r($_POST) ; to ensure it is a $_POST variable problem.

Can you post a snippet of code that duplicates this problem?

Here is what I did:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitl ed Document</title>
</head>
<body>
<?php
if($_POST['action'] == 'submit'){
echo "print_r: ";
print_r($_POST) ;
echo "<br>";
echo "post: ".$_POST["fieldname"];
$var = $_POST["fieldname"];
echo "<br>var: ".$var;
}
?>
<form name="form1" method="post" action="<?php echo
$HTTP_SERVER_VA RS['PHP_SELF'];?>">
<table width="400" border="1" align="center" cellpadding="0"
cellspacing="0" >
<tr>
<td width="50%" align="right">F ield:</td>
<td><input name="fieldname " type="text" id="fieldname"> </td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr align="center">
<td colspan="2"><in put type="submit" name="Submit" value="Submit">
<input name="action" type="hidden" id="action" value="submit"> </td>
</tr>
</table>
</form>
</body>
</html>


starbuck wrote:[color=blue]
> Hi,
>
> have a form, with a text input "fieldname" .
> method POST
>
> $var = $_POST["fieldname"]
>
> $var is then used to search in mysql
>
> select * from table where jobtype like '$var%'
> OR jobtype like '%$var%'
> OR jobtype like '%$var'
> OR jobtype like '$var' order by date asc;
>
> basically i'm doing a search for any string that matches the searched
> input, being at the beginning, middle or end of the jobtype column.
>
> query works great, except when the string contains the 4-letter word
> 'info' such as information or informative
> then the mysql query breaks down and give the usual:
>
> Error performing query: You have an error in your SQL syntax. Check the
> manual that corresponds to your MySQL server version for the right
> syntax to use near 'ORDER BY date ASC' at line 1
>
> Now after much debugging, i found out that the php _POST variable
> treats anything with info as a numner of 0 value.
> inf is treated as text, nformation is treated as text, but anything
> with info gets a 0 value.
>
> Searched php.net and couldn't find anything related to this feature,
> looked under security to see if it was related to that, but nothing.
>
> Can anyone look into it and elaborate?
> create a form, then echo the value of the $_POST variable
> and try words that contain info in them.
>
> thanks.
>
> SBJ
>[/color]

--
Scott Johnson

Re: php form info...

Hi, thanks for replying with your findings, however the problem occurs
when trying to search in the mysql statement.
Below is a sample of my tests:

$var = $_POST["textfield"];

$testvar = $var + 2;

echo $var;
echo "<br>";
echo $testvar;

below is the output for different search keywords.
word echo $var echo $testvar
test test 2
45 45 47
formation formation 2
information information INF
inf inf 2
info info INF
inforum inforum INF


as you can see, anything that starts with info is converted to a
different type or value,
if it were kept as char the addition would've yielded 2 like all other
char inputs.
somehow mysql is treating this also as a different type which is why
the queries fail.
the echo of the post variable is displayed correctly, but the 'value'
of it changes

this is very weird and i haven't found ways to work around it, the only
way to retrieve records
with the string info in them is to search for nfo or inf
but this isn't something that users of the site would think of doing.

Re: php form info...

starbuck (sbj2k1@yahoo.c om) wrote:
: Hi, thanks for replying with your findings, however the problem occurs
: when trying to search in the mysql statement.
: Below is a sample of my tests:

: $var = $_POST["textfield"];

: $testvar = $var + 2;

: echo $var;
: echo "<br>";
: echo $testvar;

: below is the output for different search keywords.
: word echo $var echo $testvar
: test test 2
: 45 45 47
: formation formation 2
: information information INF
: inf inf 2
: info info INF
: inforum inforum INF


: as you can see, anything that starts with info is converted to a
: different type or value,
: if it were kept as char the addition would've yielded 2 like all other
: char inputs.
: somehow mysql is treating this also as a different type which is why
: the queries fail.
: the echo of the post variable is displayed correctly, but the 'value'
: of it changes

: this is very weird and i haven't found ways to work around it, the only
: way to retrieve records
: with the string info in them is to search for nfo or inf
: but this isn't something that users of the site would think of doing.

You appear to be misunderstandin g and misexplaining your problem.

The example above uses mathematical addition within a php expression to
combine a variable containing an arbitrary string with a constant number.

That shows nothing at all about what ever problem is occurring with mysql.

The results within php (shown above) depend a great deal on the contents
of that string. The exact result depends on the rules php uses when it
tries to intepret the string as part of a mathematical expression. You
need to read the php documentation in detail to learn all the various
factors that php uses when interpretting strings in numeric calculations.

You might wish to check exactly what query string you are sending to
mysql.

I always use the following idiom

$sql = "select whatever ...";

mysql_query($sq l ...etc...

The point being that if you build the query as a standalone string then it
is trivial to add an echo to confirm what sql is being run without
accidently altering anything.

echo $sql;




--

This programmer available for rent.

Re: php form info...

If you could post the code that duplicates this output, it would be
easier to tell.

However if you take a text string and add an integer to it, it will be
converted to an integer type.

The INF you have showing means 'infinity', but I am not sure how you are
getting it.

Try gettype() in your output to see what type it is getting converted to.


starbuck wrote:[color=blue]
> Hi, thanks for replying with your findings, however the problem occurs
> when trying to search in the mysql statement.
> Below is a sample of my tests:
>
> $var = $_POST["textfield"];
>
> $testvar = $var + 2;
>
> echo $var;
> echo "<br>";
> echo $testvar;
>
> below is the output for different search keywords.
> word echo $var echo $testvar
> test test 2
> 45 45 47
> formation formation 2
> information information INF
> inf inf 2
> info info INF
> inforum inforum INF
>
>
> as you can see, anything that starts with info is converted to a
> different type or value,
> if it were kept as char the addition would've yielded 2 like all other
> char inputs.
> somehow mysql is treating this also as a different type which is why
> the queries fail.
> the echo of the post variable is displayed correctly, but the 'value'
> of it changes
>
> this is very weird and i haven't found ways to work around it, the only
> way to retrieve records
> with the string info in them is to search for nfo or inf
> but this isn't something that users of the site would think of doing.
>[/color]

--
Scott Johnson

Re: php form info...

the problem with mysql is that the where condition being matched to a
value that doesn't exist.
the reason why it doesn't exist is because php changes the value from
what it should be.
a value pass in the $_POST variable, that starts with the string 'info'
is being misinterpreted by php
and therefore passed to mysql as that misinterpreted value.

1, input a value in the search box; name of form element is textfield
2. assign value of textfield to a local variable via $localvar =
$_POST{"textfie ld"];
3. use local variable as where condition of mysql statement:
select * from table where column like '%$localvar%';

any value you use in the original search box works all the way, whether
it exists on the mysql table or not
it retains the value that it's supposed to.
however if the value begins with info it will break the mysql statement
and result in a syntax error.
now what's so special about info?

the numerical calculations above were to determine the real value,
whatever it may be for the string passed.
numbers remain numbers, strings appear to be given a value of 0,
however a string that starts with info
is given an INF or infinite value it seems.

Re: php form info...

starbuck (sbj2k1@yahoo.c om) wrote:
: the problem with mysql is that the where condition being matched to a
: value that doesn't exist.
: the reason why it doesn't exist is because php changes the value from
: what it should be.
: a value pass in the $_POST variable, that starts with the string 'info'
: is being misinterpreted by php
: and therefore passed to mysql as that misinterpreted value.

: 1, input a value in the search box; name of form element is textfield
: 2. assign value of textfield to a local variable via $localvar =
: $_POST{"textfie ld"];
: 3. use local variable as where condition of mysql statement:
: select * from table where column like '%$localvar%';

: any value you use in the original search box works all the way, whether
: it exists on the mysql table or not
: it retains the value that it's supposed to.
: however if the value begins with info it will break the mysql statement
: and result in a syntax error.
: now what's so special about info?

: the numerical calculations above were to determine the real value,
: whatever it may be for the string passed.
: numbers remain numbers, strings appear to be given a value of 0,
: however a string that starts with info
: is given an INF or infinite value it seems.

Mysql receives a string, and you haven't examined that string. The
problem has nothing to do with mysql, and everything to do with how you
build the query string.

You don't include any code that illustrates the problem so there is
nothing that can be done help fix it.

My example code did not reproduce your problem.


$var = 'm';
$sql = "select * from Contacts where owner like '%$var%'";
echo "$sql \n";

$sth = mysql_query($sq l, $dbh) or die(mysql_error ());
while($row = mysql_fetch_arr ay($sth))
{
echo $row['owner'];

}

$var = 'info';
$sql = "select * from Contacts where owner like '%$var%'";
echo "$sql \n";

$sth = mysql_query($sq l, $dbh) or die(mysql_error ());
while($row = mysql_fetch_arr ay($sth))
{
echo $row['owner'];

}


Both code samples worked just fine against one of my databases.

--

This programmer available for rent.

Re: php form info...

<pre>

below is the code that i'm using:
i added the echo's above the mysql query
just to see what is actually being assigned to the $where_conditio n.
it seems that when $search_value is given the 'info' string, the
$where_conditio n never gets set at all
even though the else statement should set it.
If the users enters a number, the query tries to match that number by
looking for it in the school_number
column. If a user types some text, it tries to match it up in the name
and aka fields.


$search_value = $_POST["textfield"];

if (!$search_value ) {
echo("<p>You must type something in the search box to get results: "
.. mysql_error() . "</p>");
exit();
}

if ($search_value != 0) {
if ($search_value / $search_value == 1) {
$where_conditio n = "schools.school _number = '$search_value' ";
}
}
else {
$where_conditio n = "schools.na me like '$search_value% ' OR
schools.aka like '$search_value% ' OR schools.name like
'%$search_value %' OR schools.aka like '%$search_value %'";
}

echo $search_value;
echo "<br>SELECT *, ceiling(read_sc ores/20) as read_stars,
ceiling(math_sc ores/20) as math_stars FROM schools WHERE " .
$where_conditio n . " ORDER BY borough ASC";

$result = db_query("SELEC T *, ceiling(read_sc ores/20) as read_stars,
ceiling(math_sc ores/20) as math_stars FROM schools WHERE " .
$where_conditio n . " ORDER BY borough ASC", $link);
if (!$result) {
echo("<p>Error performing query: " . mysql_error() . "</p>");
exit();
}
</pre>

Re: php form info...

Ok now its starting to make sense.
Any time you start to compare a string to an interger, it trys to
convert the string looking at it one character at a time. strings
without intergers will convert to 0 (zero).

If it encounters a string with INF in it, it will treat it as a
'infinity' type. (not an expert on that).

It seems like you are taking a string and testing it for either an
interger or a string. But be testing it against an interger, "if
($search_value != 0)", will automatically treat the string as an
interger, and then if it sees 'inf' in it, will try to force the case on it.

What I have done in the past to check for interger is use:
if(is_int($sear ch_value)){
Do your number search
}else{
Do your string search
}
I hope this makes sense.

Maybe Malcolm can elborate some more.

Good luck

starbuck wrote:[color=blue]
> <pre>
>
> below is the code that i'm using:
> i added the echo's above the mysql query
> just to see what is actually being assigned to the $where_conditio n.
> it seems that when $search_value is given the 'info' string, the
> $where_conditio n never gets set at all
> even though the else statement should set it.
> If the users enters a number, the query tries to match that number by
> looking for it in the school_number
> column. If a user types some text, it tries to match it up in the name
> and aka fields.
>
>
> $search_value = $_POST["textfield"];
>
> if (!$search_value ) {
> echo("<p>You must type something in the search box to get results: "
> . mysql_error() . "</p>");
> exit();
> }
>
> if ($search_value != 0) {
> if ($search_value / $search_value == 1) {
> $where_conditio n = "schools.school _number = '$search_value' ";
> }
> }
> else {
> $where_conditio n = "schools.na me like '$search_value% ' OR
> schools.aka like '$search_value% ' OR schools.name like
> '%$search_value %' OR schools.aka like '%$search_value %'";
> }
>
> echo $search_value;
> echo "<br>SELECT *, ceiling(read_sc ores/20) as read_stars,
> ceiling(math_sc ores/20) as math_stars FROM schools WHERE " .
> $where_conditio n . " ORDER BY borough ASC";
>
> $result = db_query("SELEC T *, ceiling(read_sc ores/20) as read_stars,
> ceiling(math_sc ores/20) as math_stars FROM schools WHERE " .
> $where_conditio n . " ORDER BY borough ASC", $link);
> if (!$result) {
> echo("<p>Error performing query: " . mysql_error() . "</p>");
> exit();
> }
> </pre>
>[/color]

--
Scott Johnson