Double query form, result of 1st query drops anything after a space

Re: Double query form, result of 1st query drops anything after a space

dogu <dfinnerathome@ netscape.net> wrote in news:gbudnWqdxp wKLefcRVn-
sQ@metrocastcab levision.com:
[color=blue]
> echo "<select name=\"site\">" ;[/color]

I think that would produce <select name=site>, which isnt right. right?

try echo "<select name='$site'>";

Re: Double query form, result of 1st query drops anything after aspace

Theo,

Thanks but no joy. In this case, nothing is echoed back even if there's
only a single word in the selected value.

I've tried a number of different versions, none of them seem to work
including the one that seems to make the most sense
echo "<select name=\"$site\"> ";
which also returns nothing.

Thanks for the reply.

Doug

Theo wrote:[color=blue]
> dogu <dfinnerathome@ netscape.net> wrote in news:gbudnWqdxp wKLefcRVn-
> sQ@metrocastcab levision.com:
>
>[color=green]
>>echo "<select name=\"site\">" ;[/color]
>
>
> I think that would produce <select name=site>, which isnt right. right?
>
> try echo "<select name='$site'>";[/color]

Did a 'big hammer' fix but still want to understand the issue.

OK, when fine motor skills don't do the trick, hit it with a hammer.
Did the following in MySQL
Update sitelogins
Set site = replace(site, " ", "_")
Execute
Bang! No spaces, happy happy joy joy.

Now, I still do want to know what's up with the space issue. I know
I'll run into this again and don't want to not allow spaces in MySQL data.

TIA for tips and pointers (and feel free to point me to resources rather
than solving the problem for me - I like to know how to fish, just give
me enough of a pointer to find the answer).

Doug

Theo wrote:[color=blue]
> dogu <dfinnerathome@ netscape.net> wrote in news:gbudnWqdxp wKLefcRVn-
> sQ@metrocastcab levision.com:
>
>[color=green]
>>echo "<select name=\"site\">" ;[/color]
>
>
> I think that would produce <select name=site>, which isnt right. right?
>
> try echo "<select name='$site'>";[/color]

Re: Double query form, result of 1st query drops anything after a space

dogu <dfinnerathome@ netscape.net> wrote in news:gbudnWqdxp wKLefcRVn-
sQ@metrocastcab levision.com:
[color=blue]
> <html>
> <body>
> Select the site name from the list below<br>
> Note - if you start typing the name, you don't have to scroll to the
> name.<br>
> </body>
> <br>
> <form>
> <?php
>
> // Define variables
> $server = 'localhost';
> $username = 'web';
> $password = 'user';
> $database = 'HomeData';
>
> //$query = "Select site, username, password from sitelogins where site[/color]
=[color=blue]
> '$site'";
> $query = "Select site from sitelogins order by site";
>
> // connect to mysql
> $db = mysql_connect($ server, $username, $password);
>
> // connect to db
> mysql_select_db ($database, $db);
>
> // >>>>> run query and populate the select box - this bit works[/color]
great.[color=blue]
> // >>>>> note, if I use \"$site\" below, I get nothing. using site as
> the name seems to work.
>
> $result = mysql_query($qu ery, $db);
> echo "<select name=\"site\">" ;
> if(!$result) die ("query failed");
> while($row = mysql_fetch_row ($result)) {
> echo "<OPTION VALUE=".$row[0].">".$row[0]."</OPTION>";
> }
> echo "</select>";
>
> // >>>>> next line - if the value of $site is something like 'fred[/color]
joe',[color=blue]
> the echo $site prints as 'fred' and the 2nd query returns null
>
> echo "<br><br>Th e requested site is $site <br><br>";
> echo "<table border=1>\n";
> echo "<tr><td>Th e username is:</td><td>The password is:</td>";
>
>
> $query2 = "Select * from sitelogins where site = '$site'";
> $result2 = mysql_query($qu ery2, $db);
> if(!$result2) die ("query failed");
> while($row = mysql_fetch_row ($result2)) {
> echo "<tr><td>$r ow[1]</td><td>$row[2]</td></tr>";
> }
>
> echo "</table>";
>
> // close connnection
> mysql_close($db );
> ?>
> <br>
> <input type="submit" value = "Get Password">
> </form>
> </html>
>[/color]

Two things, where do you assign $site a value before you actually use it?

second, you are using the $db link instead of the connect link for your
querys (chose something other than result so you dont overwrite it).

And no I didnt catch that immediately :P

Re: Double query form, result of 1st query drops anything after a space

> dogu <dfinnerathome@ netscape.net> wrote
[color=blue]
> echo "<select name=\"site\">" ;[/color]

Try:

echo '<select name="'.$site.' ">';

Geoff M

Re: Double query form, result of 1st query drops anything after a space

.oO(dogu)
[color=blue]
>User uses 'select' box drop down list to pick a value.
>Value ($site) is derived from a db query. This works fine.
>Value selected is used as the 'where' clause of the 2nd query.
>If $site is a single word, the 2nd query works like a charm.
>If $site is more than one word (has spaces), the query returns a null
>because $site is trimmed back to just the first word (I can tell that
>because I echo the value of $site.[/color]

The reason is the way how you build your select box. Have a look at the
generated HTML code or even better run it through the W3 validator.
[color=blue]
><form>[/color]

Where are the required form attribtues method and action?
[color=blue]
>// >>>>> run query and populate the select box - this bit works great.
>// >>>>> note, if I use \"$site\" below, I get nothing. using site as
>the name seems to work.[/color]

Sure, because you don't want to print out the value of the (undefined)
variable $site, but the literal string 'site'.
[color=blue]
>$result = mysql_query($qu ery, $db);
>echo "<select name=\"site\">" ;[/color]

echo '<select name="site">';
[color=blue]
>if(!$result) die ("query failed");
> while($row = mysql_fetch_row ($result)) {
>echo "<OPTION VALUE=".$row[0].">".$row[0]."</OPTION>";[/color]

And here's the problem. Assuming $row[0] contains 'foo bar', the result
will look like this:

<OPTION VALUE=foo bar>foo bar</OPTION>

Got it? Not try it this way:

echo "<option value='$row[0]'>$row[0]</option>";

The result will be:

<option value='foo bar'>foo bar</option>

But why not simply use a kind of ID for the values instead of a complete
site name? Would avoid lots of problems.
[color=blue]
>$query2 = "Select * from sitelogins where site = '$site'";[/color]

First: You want to use $_GET['site'] or $_POST['site'] (dependent on the
used submission method) instead of just $site.



Second: You want to use at least mysql_escape_st ring() before using a
user submitted string in a query. Check for magic quotes first.






HTH
Micha

Re: Double query form, result of 1st query drops anything after aspace

Theo wrote:[color=blue]
> dogu <dfinnerathome@ netscape.net> wrote in news:gbudnWqdxp wKLefcRVn-
> sQ@metrocastcab levision.com:
>
>[color=green]
>><html>
>><body>
>>Select the site name from the list below<br>
>>Note - if you start typing the name, you don't have to scroll to the
>>name.<br>
>></body>
>><br>
>><form>
>><?php
>>
>>// Define variables
>>$server = 'localhost';
>>$username = 'web';
>>$password = 'user';
>>$database = 'HomeData';
>>
>>//$query = "Select site, username, password from sitelogins where site[/color]
>
> =
>[color=green]
>>'$site'";
>>$query = "Select site from sitelogins order by site";
>>
>>// connect to mysql
>>$db = mysql_connect($ server, $username, $password);
>>
>>// connect to db
>>mysql_select_ db($database, $db);
>>
>>// >>>>> run query and populate the select box - this bit works[/color]
>
> great.
>[color=green]
>>// >>>>> note, if I use \"$site\" below, I get nothing. using site as
>>the name seems to work.
>>
>>$result = mysql_query($qu ery, $db);
>>echo "<select name=\"site\">" ;
>>if(!$result ) die ("query failed");
>> while($row = mysql_fetch_row ($result)) {
>>echo "<OPTION VALUE=".$row[0].">".$row[0]."</OPTION>";
>>}
>>echo "</select>";
>>
>>// >>>>> next line - if the value of $site is something like 'fred[/color]
>
> joe',
>[color=green]
>>the echo $site prints as 'fred' and the 2nd query returns null
>>
>>echo "<br><br>Th e requested site is $site <br><br>";
>>echo "<table border=1>\n";
>>echo "<tr><td>Th e username is:</td><td>The password is:</td>";
>>
>>
>>$query2 = "Select * from sitelogins where site = '$site'";
>>$result2 = mysql_query($qu ery2, $db);
>>if(!$result 2) die ("query failed");
>> while($row = mysql_fetch_row ($result2)) {
>> echo "<tr><td>$r ow[1]</td><td>$row[2]</td></tr>";
>> }
>>
>>echo "</table>";
>>
>>// close connnection
>>mysql_close($ db);
>>?>
>><br>
>><input type="submit" value = "Get Password">
>></form>
>></html>
>>[/color]
>
> Two things, where do you assign $site a value before you actually use it?[/color]

Lost again...

What I thought I was doing was creating the variable in the line that
creates the drop down select box, echo "<select name=\"site\">" ;
That's where I thought the variable name was created. If it gets
created somewhere else, I don't have a clue where.
[color=blue]
>
> second, you are using the $db link instead of the connect link for your
> querys (chose something other than result so you dont overwrite it).
>
> And no I didnt catch that immediately :P[/color]
Still lost. Every example of php connecting to MySQL uses the same
format as my code.

$db = mysql_connect($ server, $username, $password);
mysql_select_db ($database, $db);
Isn't $db the connect link? Can't I use it throughout the code?
Are you referring to my $result2? Do I need to create something like a
second connect als $db2 = mysql_connect($ server, $username, $password)?

I know I'm getting trapped in some kind of circular logic hell.
Everything I've used for references either has good HTML examples with
no PHP/MySQL, or good PHP with limited HTML or simple HTML form creation
with no clever modifications (ie programmatic population of lists) or...
but never a fully built example of the whole thing.

Once all the pieces come together, this'll be easy. I'm just not seeing
the solution. Sorry for my slowness and thank you for your patience.

Doug

Re: Double query form, result of 1st query drops anything after aspace

Michael Fesser wrote:[color=blue]
> .oO(dogu)
>
>[color=green]
>>User uses 'select' box drop down list to pick a value.
>>Value ($site) is derived from a db query. This works fine.
>>Value selected is used as the 'where' clause of the 2nd query.
>>If $site is a single word, the 2nd query works like a charm.
>>If $site is more than one word (has spaces), the query returns a null
>>because $site is trimmed back to just the first word (I can tell that
>>because I echo the value of $site.[/color]
>
>
> The reason is the way how you build your select box. Have a look at the
> generated HTML code or even better run it through the W3 validator.
>
>[color=green]
>><form>[/color]
>
>
> Where are the required form attribtues method and action?
>[/color]
What I appear to have created is a form that doesn't go anywhere. I'm
not calling a different PHP file to process the data, it's all in the
same file/form/code/whatever it's called. Set a value one place on the
form and another bit of the form uses the input. Not sure if this is
supposed to work, but when I hit my 'get password' button, stuff happens
and results pop into a table.
Should I be doing a 'call to self' (not sure of the format but know I've
seen something like that soemwhere)?
[color=blue]
>[color=green]
>>// >>>>> run query and populate the select box - this bit works great.
>>// >>>>> note, if I use \"$site\" below, I get nothing. using site as
>>the name seems to work.[/color]
>
>
> Sure, because you don't want to print out the value of the (undefined)
> variable $site, but the literal string 'site'.
>
>[color=green]
>>$result = mysql_query($qu ery, $db);
>>echo "<select name=\"site\">" ;[/color]
>
>
> echo '<select name="site">';
>
>[color=green]
>>if(!$result ) die ("query failed");
>> while($row = mysql_fetch_row ($result)) {
>>echo "<OPTION VALUE=".$row[0].">".$row[0]."</OPTION>";[/color]
>
>
> And here's the problem. Assuming $row[0] contains 'foo bar', the result
> will look like this:
>
> <OPTION VALUE=foo bar>foo bar</OPTION>
>
> Got it? Not try it this way:
>
> echo "<option value='$row[0]'>$row[0]</option>";
>
> The result will be:
>
> <option value='foo bar'>foo bar</option>[/color]
WHOA! It works like magic! I need to play with the logic of my 'bad'
version and yours to understand the difference. Is this a magic quote
thing?[color=blue]
>
> But why not simply use a kind of ID for the values instead of a complete
> site name? Would avoid lots of problems.
>[/color]
Two reasons. For the particular design I'm working with, I want the
choice displayed to the user derived directly from the db AND be human
readable.
Second, I know I'll run into this kind of problem again (spaces in
strings) and I want to be sure I know how to deal with them.
[color=blue]
>[color=green]
>>$query2 = "Select * from sitelogins where site = '$site'";[/color]
>
>
> First: You want to use $_GET['site'] or $_POST['site'] (dependent on the
> used submission method) instead of just $site.[/color]

See discussion further up about the form actions. I'm not using a post
or get, just running code inside one php file
[color=blue]
>
> http://www.php.net/manual/en/security.globals.php
>
> Second: You want to use at least mysql_escape_st ring() before using a
> user submitted string in a query. Check for magic quotes first.
>[/color]
Need to read up on these things.
[color=blue]
> http://www.php.net/manual/en/securit...-injection.php
> http://www.php.net/manual/en/functio...ape-string.php
> http://www.php.net/manual/en/function.addslashes.php
> http://www.php.net/manual/en/functio...quotes-gpc.php
>
> HTH
> Micha[/color]

My thanks to you for your patience. I've been working in one nicely
contained development environment for about 10 years (Lotus Notes) and
working out of that rut into 4 new languages/systems that all have to
work together is proving confusing (and making me think in new ways - a
good thing). Back at it!

Take care and I'll talk to you later.

Doug

Re: Double query form, result of 1st query drops anything after a space

.oO(dogu)
[color=blue]
>Michael Fesser wrote:[color=green]
>>
>> Where are the required form attribtues method and action?
>>[/color]
>What I appear to have created is a form that doesn't go anywhere. I'm
>not calling a different PHP file to process the data, it's all in the
>same file/form/code/whatever it's called.[/color]

Quite usual, but nevertheless the browser has to know where to send the
data.
[color=blue]
>Set a value one place on the
>form and another bit of the form uses the input. Not sure if this is
>supposed to work, but when I hit my 'get password' button, stuff happens
>and results pop into a table.
>Should I be doing a 'call to self' (not sure of the format but know I've
>seen something like that soemwhere)?[/color]

Yep, at least the action-attribute is required. Use $_SERVER['PHP_SELF']
for its value. The method-attribute is not required (defaults to 'get'),
but IMHO makes the code more readable:

<form action="<?php print $_SERVER['PHP_SELF']?>" method="get">
[color=blue][color=green]
>> <option value='foo bar'>foo bar</option>[/color]
>WHOA! It works like magic! I need to play with the logic of my 'bad'
>version and yours to understand the difference. Is this a magic quote
>thing?[/color]

Nope. The answer is much simpler. Without quotes in

<option value=foo bar>foo bar</option>

only 'foo' is seen as the attribute's value, 'bar' is considered as
another (undefined) attribute, because in HTML attributes are separated
by blanks. So to tell the browser, that all the words belong to the one
attribute, just put quotes around them. BTW it's a good idea to always
quote attribute values (with single or double quotes), this avoids such
errors.
[color=blue][color=green]
>> But why not simply use a kind of ID for the values instead of a complete
>> site name? Would avoid lots of problems.
>>[/color]
>Two reasons. For the particular design I'm working with, I want the
>choice displayed to the user derived directly from the db AND be human
>readable.[/color]

No problem so far, you could use an ID for the internal value and the
human readable stuff for the display. Assuming your records in the
database look like this ...

ID | site
----+----------------
1 | This is foo
2 | This is bar
42 | Nothing special

your select box could look like this ...

<select name="site">
<option value="1">This is foo</option>
<option value="2">This is bar</option>
<option value="42">Noth ing special</option>
</select>

IMHO this would also make the querying of the DB easier and more
reliable. You don't have to deal with quoting, escaping and probably
encoding stuff anymore. You just have to do the "standard check" if a
value was submitted at all and use its integer-value in the query:

// This makes sure that $site always contains a numeric value, in case
// of an error it is set to zero
$site = isset($_GET['site']) ? intval($_GET['site']) : 0;
$query = "SELECT ... FROM ... WHERE site = $site";

Or both together in one statement using sprintf():

// %u is a placeholder for an unsigned integer
$query = sprintf('SELECT ... FROM ... WHERE site = %u',
isset($_GET['site']) ? $_GET['site'] : 0);

Just some ideas.
[color=blue]
>Second, I know I'll run into this kind of problem again (spaces in
>strings) and I want to be sure I know how to deal with them.[/color]

OK.

But as said earlier: In case of problems have a look at the generated
HTML-code (with an editor capable of syntax highlighting if available)
and use the W3 validator. It will complain about such errors.
[color=blue][color=green]
>> First: You want to use $_GET['site'] or $_POST['site'] (dependent on the
>> used submission method) instead of just $site.[/color]
>
>See discussion further up about the form actions. I'm not using a post
>or get, just running code inside one php file[/color]

Sure, but the browser has to submit the form first, before you can
process its data. Even if you send it to the same file, you have to
choose between get (default) or post. But what I was referring to was
the register_global s thing. On recent PHP installations with default
configuration the variable $site would be undefined, the correct way to
access its value is to use one of the superglobal arrays $_GET or
$_POST. This will work on all systems, regardless of the configuration.
[color=blue][color=green]
>> Second: You want to use at least mysql_escape_st ring() before using a
>> user submitted string in a query. Check for magic quotes first.
>>[/color]
>Need to read up on these things.[/color]

Do a Google on (Advanced) SQL Injection. When working with scripts and
especially databases you should know about some of the dangers and risks
that exist there and how to secure your scripts. The WWW is no play-
ground, it's a battlefield with thousands of crackers, script kiddies
and other parasites being your enemies.

Micha

Re: Double query form, result of 1st query drops anything after a space

dogu <dfinnerathome@ netscape.net> wrote in
news:dcKdnTrmGZ ERG-DcRVn-oQ@metrocastcab levision.com:
[color=blue]
> Theo wrote:[color=green]
>> dogu <dfinnerathome@ netscape.net> wrote in news:gbudnWqdxp wKLefcRVn-
>> sQ@metrocastcab levision.com:
>>
>>[color=darkred]
>>><html>
>>><body>
>>>Select the site name from the list below<br>
>>>Note - if you start typing the name, you don't have to scroll to the
>>>name.<br>
>>></body>
>>><br>
>>><form>
>>><?php
>>>
>>>// Define variables
>>>$server = 'localhost';
>>>$username = 'web';
>>>$password = 'user';
>>>$database = 'HomeData';
>>>
>>>//$query = "Select site, username, password from sitelogins where
>>>site[/color]
>>
>> =
>>[color=darkred]
>>>'$site'";
>>>$query = "Select site from sitelogins order by site";
>>>
>>>// connect to mysql
>>>$db = mysql_connect($ server, $username, $password);
>>>
>>>// connect to db
>>>mysql_select _db($database, $db);
>>>
>>>// >>>>> run query and populate the select box - this bit works[/color]
>>
>> great.
>>[color=darkred]
>>>// >>>>> note, if I use \"$site\" below, I get nothing. using site
>>>as the name seems to work.
>>>
>>>$result = mysql_query($qu ery, $db);
>>>echo "<select name=\"site\">" ;
>>>if(!$resul t) die ("query failed");
>>> while($row = mysql_fetch_row ($result)) {
>>>echo "<OPTION VALUE=".$row[0].">".$row[0]."</OPTION>";
>>>}
>>>echo "</select>";
>>>
>>>// >>>>> next line - if the value of $site is something like 'fred[/color]
>>
>> joe',
>>[color=darkred]
>>>the echo $site prints as 'fred' and the 2nd query returns null
>>>
>>>echo "<br><br>Th e requested site is $site <br><br>";
>>>echo "<table border=1>\n";
>>>echo "<tr><td>Th e username is:</td><td>The password is:</td>";
>>>
>>>
>>>$query2 = "Select * from sitelogins where site = '$site'";
>>>$result2 = mysql_query($qu ery2, $db);
>>>if(!$result2 ) die ("query failed");
>>> while($row = mysql_fetch_row ($result2)) {
>>> echo "<tr><td>$r ow[1]</td><td>$row[2]</td></tr>";
>>> }
>>>
>>>echo "</table>";
>>>
>>>// close connnection
>>>mysql_close( $db);
>>>?>
>>><br>
>>><input type="submit" value = "Get Password">
>>></form>
>>></html>
>>>[/color]
>>
>> Two things, where do you assign $site a value before you actually use
>> it?[/color]
>
> Lost again...
>
> What I thought I was doing was creating the variable in the line that
> creates the drop down select box, echo "<select name=\"site\">" ;
> That's where I thought the variable name was created. If it gets
> created somewhere else, I don't have a clue where.
>[color=green]
>>
>> second, you are using the $db link instead of the connect link for
>> your querys (chose something other than result so you dont overwrite
>> it).
>>
>> And no I didnt catch that immediately :P[/color]
> Still lost. Every example of php connecting to MySQL uses the same
> format as my code.
>
> $db = mysql_connect($ server, $username, $password);
> mysql_select_db ($database, $db);
> Isn't $db the connect link? Can't I use it throughout the code?
> Are you referring to my $result2? Do I need to create something like
> a second connect als $db2 = mysql_connect($ server, $username,
> $password)?
>
> I know I'm getting trapped in some kind of circular logic hell.
> Everything I've used for references either has good HTML examples with
> no PHP/MySQL, or good PHP with limited HTML or simple HTML form
> creation with no clever modifications (ie programmatic population of
> lists) or... but never a fully built example of the whole thing.
>
> Once all the pieces come together, this'll be easy. I'm just not
> seeing the solution. Sorry for my slowness and thank you for your
> patience.
>
> Doug
>[/color]

ok... first

you are submitting a query before you assign $site a value. if you do a
value check before submitting the query you will see that it is a null
value.

The line you commented out...

//$query = "Select site, username, password from sitelogins where site =
'$site'";

wont work because $site is null. So the question is, what value do you
want to assign to it, and where is it coming from... assuming its not the
same every time?

----

when checking values add a line like

print "my value is $value"; exit();

before you use it. so you can see what the value is at that point. If you
get something unexpected, or get 'my value is' and then nothing
afterwards, you need to check how you are assigning your values.

---

for the other point, youre right I got that backwards. Sorry bout that.
:-)

Re: Double query form, result of 1st query drops anything after aspace

Man I love the internet. I cannot thank you enough for your help. This
message, especially, helps pull together the bits and pieces that make
it all work. I think the light finally went on (dim, but at least it's on).

Take care and I hope to be able to give back once I know a bit more.

Take care.

Doug

Michael Fesser wrote:[color=blue]
> .oO(dogu)
>
>[color=green]
>>Michael Fesser wrote:
>>[color=darkred]
>>>Where are the required form attribtues method and action?
>>>[/color]
>>
>>What I appear to have created is a form that doesn't go anywhere. I'm
>>not calling a different PHP file to process the data, it's all in the
>>same file/form/code/whatever it's called.[/color]
>
>
> Quite usual, but nevertheless the browser has to know where to send the
> data.
>
>[color=green]
>>Set a value one place on the
>>form and another bit of the form uses the input. Not sure if this is
>>supposed to work, but when I hit my 'get password' button, stuff happens
>>and results pop into a table.
>>Should I be doing a 'call to self' (not sure of the format but know I've
>>seen something like that soemwhere)?[/color]
>
>
> Yep, at least the action-attribute is required. Use $_SERVER['PHP_SELF']
> for its value. The method-attribute is not required (defaults to 'get'),
> but IMHO makes the code more readable:
>
> <form action="<?php print $_SERVER['PHP_SELF']?>" method="get">
>[color=green][color=darkred]
>>><option value='foo bar'>foo bar</option>[/color]
>>
>>WHOA! It works like magic! I need to play with the logic of my 'bad'
>>version and yours to understand the difference. Is this a magic quote
>>thing?[/color]
>
>
> Nope. The answer is much simpler. Without quotes in
>
> <option value=foo bar>foo bar</option>
>
> only 'foo' is seen as the attribute's value, 'bar' is considered as
> another (undefined) attribute, because in HTML attributes are separated
> by blanks. So to tell the browser, that all the words belong to the one
> attribute, just put quotes around them. BTW it's a good idea to always
> quote attribute values (with single or double quotes), this avoids such
> errors.
>
>[color=green][color=darkred]
>>>But why not simply use a kind of ID for the values instead of a complete
>>>site name? Would avoid lots of problems.
>>>[/color]
>>
>>Two reasons. For the particular design I'm working with, I want the
>>choice displayed to the user derived directly from the db AND be human
>>readable.[/color]
>
>
> No problem so far, you could use an ID for the internal value and the
> human readable stuff for the display. Assuming your records in the
> database look like this ...
>
> ID | site
> ----+----------------
> 1 | This is foo
> 2 | This is bar
> 42 | Nothing special
>
> your select box could look like this ...
>
> <select name="site">
> <option value="1">This is foo</option>
> <option value="2">This is bar</option>
> <option value="42">Noth ing special</option>
> </select>
>
> IMHO this would also make the querying of the DB easier and more
> reliable. You don't have to deal with quoting, escaping and probably
> encoding stuff anymore. You just have to do the "standard check" if a
> value was submitted at all and use its integer-value in the query:
>
> // This makes sure that $site always contains a numeric value, in case
> // of an error it is set to zero
> $site = isset($_GET['site']) ? intval($_GET['site']) : 0;
> $query = "SELECT ... FROM ... WHERE site = $site";
>
> Or both together in one statement using sprintf():
>
> // %u is a placeholder for an unsigned integer
> $query = sprintf('SELECT ... FROM ... WHERE site = %u',
> isset($_GET['site']) ? $_GET['site'] : 0);
>
> Just some ideas.
>
>[color=green]
>>Second, I know I'll run into this kind of problem again (spaces in
>>strings) and I want to be sure I know how to deal with them.[/color]
>
>
> OK.
>
> But as said earlier: In case of problems have a look at the generated
> HTML-code (with an editor capable of syntax highlighting if available)
> and use the W3 validator. It will complain about such errors.
>
>[color=green][color=darkred]
>>>First: You want to use $_GET['site'] or $_POST['site'] (dependent on the
>>>used submission method) instead of just $site.[/color]
>>
>>See discussion further up about the form actions. I'm not using a post
>>or get, just running code inside one php file[/color]
>
>
> Sure, but the browser has to submit the form first, before you can
> process its data. Even if you send it to the same file, you have to
> choose between get (default) or post. But what I was referring to was
> the register_global s thing. On recent PHP installations with default
> configuration the variable $site would be undefined, the correct way to
> access its value is to use one of the superglobal arrays $_GET or
> $_POST. This will work on all systems, regardless of the configuration.
>
>[color=green][color=darkred]
>>>Second: You want to use at least mysql_escape_st ring() before using a
>>>user submitted string in a query. Check for magic quotes first.
>>>[/color]
>>
>>Need to read up on these things.[/color]
>
>
> Do a Google on (Advanced) SQL Injection. When working with scripts and
> especially databases you should know about some of the dangers and risks
> that exist there and how to secure your scripts. The WWW is no play-
> ground, it's a battlefield with thousands of crackers, script kiddies
> and other parasites being your enemies.
>
> Micha[/color]

Re: Double query form, result of 1st query drops anything after aspace

Theo wrote:[color=blue]
> dogu <dfinnerathome@ netscape.net> wrote in
> news:dcKdnTrmGZ ERG-DcRVn-oQ@metrocastcab levision.com:
>
>[color=green]
>>Theo wrote:
>>[color=darkred]
>>>dogu <dfinnerathome@ netscape.net> wrote in news:gbudnWqdxp wKLefcRVn-
>>>sQ@metrocast cablevision.com :
>>>
>>>
>>>
>>>><html>
>>>><body>
>>>>Select the site name from the list below<br>
>>>>Note - if you start typing the name, you don't have to scroll to the
>>>>name.<br>
>>>></body>
>>>><br>
>>>><form>
>>>><?php
>>>>
>>>>// Define variables
>>>>$server = 'localhost';
>>>>$username = 'web';
>>>>$password = 'user';
>>>>$database = 'HomeData';
>>>>
>>>>//$query = "Select site, username, password from sitelogins where
>>>>site
>>>
>>>=
>>>
>>>
>>>>'$site'";
>>>>$query = "Select site from sitelogins order by site";
>>>>
>>>>// connect to mysql
>>>>$db = mysql_connect($ server, $username, $password);
>>>>
>>>>// connect to db
>>>>mysql_selec t_db($database, $db);
>>>>
>>>>// >>>>> run query and populate the select box - this bit works
>>>
>>>great.
>>>
>>>
>>>>// >>>>> note, if I use \"$site\" below, I get nothing. using site
>>>>as the name seems to work.
>>>>
>>>>$result = mysql_query($qu ery, $db);
>>>>echo "<select name=\"site\">" ;
>>>>if(!$result ) die ("query failed");
>>>> while($row = mysql_fetch_row ($result)) {
>>>>echo "<OPTION VALUE=".$row[0].">".$row[0]."</OPTION>";
>>>>}
>>>>echo "</select>";
>>>>
>>>>// >>>>> next line - if the value of $site is something like 'fred
>>>
>>>joe',
>>>
>>>
>>>>the echo $site prints as 'fred' and the 2nd query returns null
>>>>
>>>>echo "<br><br>Th e requested site is $site <br><br>";
>>>>echo "<table border=1>\n";
>>>>echo "<tr><td>Th e username is:</td><td>The password is:</td>";
>>>>
>>>>
>>>>$query2 = "Select * from sitelogins where site = '$site'";
>>>>$result2 = mysql_query($qu ery2, $db);
>>>>if(!$result 2) die ("query failed");
>>>> while($row = mysql_fetch_row ($result2)) {
>>>> echo "<tr><td>$r ow[1]</td><td>$row[2]</td></tr>";
>>>> }
>>>>
>>>>echo "</table>";
>>>>
>>>>// close connnection
>>>>mysql_close ($db);
>>>>?>
>>>><br>
>>>><input type="submit" value = "Get Password">
>>>></form>
>>>></html>
>>>>
>>>Two things, where do you assign $site a value before you actually use
>>>it?[/color]
>>
>>Lost again...
>>
>>What I thought I was doing was creating the variable in the line that
>>creates the drop down select box, echo "<select name=\"site\">" ;
>>That's where I thought the variable name was created. If it gets
>>created somewhere else, I don't have a clue where.
>>
>>[color=darkred]
>>>second, you are using the $db link instead of the connect link for
>>>your querys (chose something other than result so you dont overwrite
>>>it).
>>>
>>>And no I didnt catch that immediately :P[/color]
>>
>>Still lost. Every example of php connecting to MySQL uses the same
>>format as my code.
>>
>>$db = mysql_connect($ server, $username, $password);
>>mysql_select_ db($database, $db);
>>Isn't $db the connect link? Can't I use it throughout the code?
>>Are you referring to my $result2? Do I need to create something like
>>a second connect als $db2 = mysql_connect($ server, $username,
>>$password)?
>>
>>I know I'm getting trapped in some kind of circular logic hell.
>>Everything I've used for references either has good HTML examples with
>>no PHP/MySQL, or good PHP with limited HTML or simple HTML form
>>creation with no clever modifications (ie programmatic population of
>>lists) or... but never a fully built example of the whole thing.
>>
>>Once all the pieces come together, this'll be easy. I'm just not
>>seeing the solution. Sorry for my slowness and thank you for your
>>patience.
>>
>>Doug
>>[/color]
>
>
> ok... first
>
> you are submitting a query before you assign $site a value. if you do a
> value check before submitting the query you will see that it is a null
> value.
>
> The line you commented out...
>
> //$query = "Select site, username, password from sitelogins where site =
> '$site'";
>
> wont work because $site is null. So the question is, what value do you
> want to assign to it, and where is it coming from... assuming its not the
> same every time?
>
> ----
>
> when checking values add a line like
>
> print "my value is $value"; exit();
>
> before you use it. so you can see what the value is at that point. If you
> get something unexpected, or get 'my value is' and then nothing
> afterwards, you need to check how you are assigning your values.
>
> ---
>
> for the other point, youre right I got that backwards. Sorry bout that.
> :-)[/color]
Theo,

Thank you so very much. Between you and Micha, I think I'm beginning to
see the shape of both the problem and the solution. I'll play with this
tomorrow. Once I get something fully functional, I'll post the entire
code bit back here.

Take care and I'll talk to you later.

Doug

Re: Double query form, result of 1st query drops anything after a space

.oO(dogu)
[color=blue]
>Man I love the internet. I cannot thank you enough for your help.[/color]

You're welcome.

Micha