php and mysql searching and passing variables problem

Question

Hello,

I have the following code:

http://www.nomorepasting.com/getpaste.php?pasteid=22615

Which is called by the javascript mentioned in this question:

My problem is that I do not seem to be able to pass $query, as in nothing seemingly happens when I call this file by itself.

I am unsure what the best way to control the flow of information is. Is my logic ok? Passing the query through javascript to the php file, and then returning it with the function?

I am also concerned about my use of $rows, as it does not seem to be required.

Answer 1

In the code you linked to, I do not see where $searchString is declared? In the aforementioned PHP, I see these two separate sections:

$query ='';
if (isset($_GET["query"]))
$query = $_GET["query"];

and the code you are executing later on down the page is

$table = 'Auctions';
$rows = getRowsByArticleSearch($searchString, $table);

Nowhere, as far as I can see in the code, is $searchString ever declared. A larger concern, however, is that you are not sanitizing your query string before executing it. For security's sake, I would at least replace:

$result = mysql_query("SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME 
                       FROM {$table} 
                       WHERE upper ARTICLE_NAME LIKE '%" . $searchString . "%'");

with

$result = mysql_query("SELECT ARTICLE_NO, USERNAME, ACCESSSTARTS, ARTICLE_NAME 
                       FROM {$table} 
                       WHERE upper ARTICLE_NAME LIKE '%" . mysql_real_escape_string($searchString) . "%'");

You should also check whether magic quotes is turned on, to avoid double-escaping.

Answer 2

I think you want to replace this (line 36):

$rows = getRowsByArticleSearch($searchString, $table);

with this:

$rows = getRowsByArticleSearch($query, $table);

And for security concerns, the least you should do is the mysql_real_escape_string stuff from spelley's post.