brads

I am game for anything that works and works fast and easy.
I am just wondering if I am opening up a whole new can of worms?

Cheers!
Brad

-----Original Message-----
From: George Pitcher [mailto:george.pitcher@ingenta.com]
Sent: Tuesday, June 12, 2007 6:06 AM
To: BSumrall
Subject: RE: [php] Looking for help with forms/variables and an array!

Hi,

I use Javascript. I also use Firefox. I use Apache as my server on WinNT,
but Ajax also works on Linux servers (mainly because its a client-side
application).

Let me know if you need help setting up Ajax and/or testing.

Cheers

George

brads

Is it a GUI based application?

Brad

-----Original Message-----
From: George Pitcher [mailto:george.pitcher@ingenta.com]
Sent: Tuesday, June 12, 2007 6:06 AM
To: BSumrall
Subject: RE: [php] Looking for help with forms/variables and an array!

Hi,

I use Javascript. I also use Firefox. I use Apache as my server on WinNT,
but Ajax also works on Linux servers (mainly because its a client-side
application).

Let me know if you need help setting up Ajax and/or testing.

Cheers

George

brads

-----Original Message-----
From: BSumrall [mailto:Brads@ftnco.com]
Sent: Tuesday, June 12, 2007 5:54 AM
To: 'George Pitcher'
Subject: RE: [php] Looking for help with forms/variables and an array!

Interesting suggestion.

I though ajax was mainly gear towards microsoft and javascripting
applications?


-----Original Message-----
From: George Pitcher [mailto:george.pitcher@ingenta.com]
Sent: Tuesday, June 12, 2007 5:42 AM
To: BSumrall
Subject: RE: [php] Looking for help with forms/variables and an array!

Hi,

Have you looked at Ajax? This will do just what you have described. When the
user makes their first choice, Ajax queries the database to return the
options for the secont drop-down box.

George

brads

I am sure I am on the right track.
Register globals is turned on!

I am getting the following error:

You have an error in your SQL syntax; check the manual that corresponds to
your MySQL server version for the right syntax to use near '[''] LIMIT 0, 1'
at line 1

mysql_select_db($database_ftn, $ftn);
@extract($_POST);
$query_Recordset1 = "SELECT * FROM lstng_tbl WHERE price_range=
'[$select1]'";

I am trying to get a php form variable into the above sql query.
'[$select1]' if changed back to the number 1 will bring up a record just
fine.
Putting in a variable produces the error.

How do I get a php form variable into a sql query?

Below is my form

<form id="form1" name="form1" method="post" action="index_dev.php">
<label>market
<select name="select1">
<OPTION value="1">Indiana</OPTION>
<OPTION value="2">Wisconsin</OPTION>
<OPTION value="3">Illinois</OPTION>
<OPTION value="4">Michigan</OPTION>
<OPTION value="5">Ge****a</OPTION>
<OPTION value="6">Florida</OPTION>
</select>
</label>
</form>


Brad


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

robert

BAD!!! BAD DOG!!! This is probably worse than register globals since it
allows clobbering of variables AFTER you've defined any other local
scope vars.

Besides, it's redundant if you have register_globals on as you say
above. But having register_globals is BAD! BAD DOG!! GO TO YOUR KENNEL!

What's with the square brackets? Why haven't your escaped the $select
value before using it in a query? Are you using the magic quotes GPC? If
so... BAD!!! BAD DOG!!

What the hell is lstng_tbl?? Or are you allergic to the readability
enahcning properties of vowels? If so... BAD DOG!! BAAAAAAAD DOOOOG! Go
play with traffic! Why do you post fix it with _tpl? Of course it's a friggin' table.

Who's putting in the variables? you or your visitors? *lol*

$query =
"SELECT "
." * "
."FROM "
." listing "
."WHERE "
." price_range =
'".mysql_real_escape_string( $_POST['select1'] )."' ";

Cheers,
Rob.

Ps. BAD DOG!!

--
..------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'

lists

$query_Recordset1 = "SELECT * FROM lstng_tbl WHERE price_range = '[$select1]'";

Why do you have brackets in this statement? Are they actually in the data that way?

Try this, curly braces:
$query_Recordset1 = "SELECT * FROM lstng_tbl WHERE price_range = '{$select1}'";

--
Jim Lucas

"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare

brads

The purpose for register_globals is for testing and functionality purposes
only.
Every single example on the internet is for register_globals = on.
I am very aware of the security risk of it.
Get it working and then change it back. There is plenty of literature on how
to edit existing working code once you disable it.

Just working with the tools I have!

As far as _tbl instead of table, I picked that one up in the military, just
a preference.

As far as the brackets, I tried with or without;
price_range='[$select1]'";
price_range='$select1'";
price_range=select1";

All the same miserable error!

Any suggestions on how to get select1 -> price_range= would truly
be appreciated, and if your suggestion it more secure than what I am working
with. This would be the icing on the cake!

Brad


-----Original Message-----
From: Robert ***mings [mailto:robert@interjinn.com]
Sent: Tuesday, June 12, 2007 12:38 PM
To: BSumrall
Cc: php-general@lists.php.net
Subject: RE: [php] Looking for help with forms/variables and an array!


BAD!!! BAD DOG!!! This is probably worse than register globals since it
allows clobbering of variables AFTER you've defined any other local
scope vars.

Besides, it's redundant if you have register_globals on as you say
above. But having register_globals is BAD! BAD DOG!! GO TO YOUR KENNEL!

What's with the square brackets? Why haven't your escaped the $select
value before using it in a query? Are you using the magic quotes GPC? If
so... BAD!!! BAD DOG!!

What the hell is lstng_tbl?? Or are you allergic to the readability
enahcning properties of vowels? If so... BAD DOG!! BAAAAAAAD DOOOOG! Go
play with traffic! Why do you post fix it with _tpl? Of course it's a friggin' table.

Who's putting in the variables? you or your visitors? *lol*

$query =
"SELECT "
." * "
."FROM "
." listing "
."WHERE "
." price_range =
'".mysql_real_escape_string( $_POST['select1'] )."' ";

Cheers,
Rob.

Ps. BAD DOG!!

--
..------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'

brads

It doesn't like the curly brackets either!

Brad

-----Original Message-----
From: Jim Lucas [mailto:lists@cmsws.com]
Sent: Tuesday, June 12, 2007 12:39 PM
To: BSumrall
Cc: php-general@lists.php.net
Subject: Re: [php] Looking for help with forms/variables and an array!


$query_Recordset1 = "SELECT * FROM lstng_tbl WHERE price_range =
'[$select1]'";

Why do you have brackets in this statement? Are they actually in the data
that way?

Try this, curly braces:
$query_Recordset1 = "SELECT * FROM lstng_tbl WHERE price_range = '{$select1}'";

--
Jim Lucas

"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

robert

That's no excuse... and you're wrong.


Ok... and magic_quotes? You don't seem to be escaping your data that
goes into the query either. You don't seem very "aware of the security risk".

Why do it twice? Why risk forgetting something after the fact? Coding
securely requires that you practice coding securely and not just hope
you can apply a coat of armorall afterwards.


The same tools I have, if not then you have more.


I gave you an example at the bottom of my post. Are you passing the
$query string directly to the mysql_query() function? Maybe do the
following just before running the query:

echo $query."\n";

Then check it to see that it's what you expect.

Cheers,
Rob.
--
..------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'

lists

if this is within PHP, the '{' and '}' are within double quotes (which they seem to be),

These examples should all do the same thing.

$query_Recordset1 = "SELECT * FROM lstng_tbl WHERE price_range = '$select1'";
$query_Recordset1 = "SELECT * FROM lstng_tbl WHERE price_range = '{$select1}'";
$query_Recordset1 = "SELECT * FROM lstng_tbl WHERE price_range = '".$select1."'";

echo $query_Recordset1;

place an echo just after including the variable and see if you see the brackets in the statement.


--
Jim Lucas

"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare