What is wrong in this code

Discussion in 'PHP' started by mfp, Jan 8, 2009.

0
  1. #1
    Hi friends

    i am new in MySql & PHP programming, please help me in finding prob in this code

    
<?php
require_once("config.php");
require_once("smarty.php");
$con = mysql_connect("$db_host","$db_username","$db_password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("aman", $con);

// Assign the query
$query = "SELECT * FROM bajaj_consent WHERE vehicle_no=$search"  ;

// Execute the query
$result = mysql_query( $query );
if (!$result){
die ("Could not query the database: <br />". mysql_error( ));
}
// Fetch and display the results
while ($row = mysql_fetch_array($result,MYSQL_ASSOC)){
$sr_no = $row["sr_no"];
$insured_name = $row["insured_name"];
$insured_address = $row["insured_address"];
$policy_no = $row["policy_no"];
$policy_wef = $row["policy_wef"];
$vehicle_no = $row["vehicle_no"];
$vehicle_make_model = $row["vehicle_make_model"];
$engine_no = $row["engine_no"];
$chassis_no = $row["chassis_no"];
$date_of_reg = $row["date_of_reg"];
$date_of_loss = $row["date_of_loss"];
$rto = $row["rto"];
}
$smarty->assign('insured_name', "$insured_name");
$smarty->assign('insured_address', "$insured_address");
$smarty->assign('policy_no', "$policy_no");
$smarty->assign('policy_wef', "$policy_wef");
$smarty->assign('date_of_loss', "$date_of_loss");
$smarty->display('consent1.tpl');
mysql_close($con);
?>

<html>
<head>
<title>Building a Form</title>
</head>
<body>
<?php
$search = $_GET["search"];
$self = htmlentities($_SERVER['PHP_SELF']);
if ($search != NULL){
echo "The search string is: <strong>$search</strong>.";
query_db($search);
}
else {
echo '
<form action="'.$self.'" method="GET">
<label>
Search:
<input type="text" name="search" id="search" />
</label>
<input type="submit" value="Go!">
</form>';
}
?>
</body>
</html>
    PHP:
     
    mfp, Jan 8, 2009 IP
  2. phper

    phper Active Member

    Messages:
    247
    Likes Received:
    17
    Best Answers:
    0
    Trophy Points:
    60
    #2 
    // Assign the query
$query = "SELECT * FROM bajaj_consent WHERE vehicle_no=$search"  ;
    PHP:
    $search is not defined yet at that point.
     
    phper, Jan 8, 2009 IP
  3. mfp

    mfp Guest

    Messages:
    71
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #3


    i wana sent $search through the form submitted by user.
    how can i solve this prob?
     
    mfp, Jan 8, 2009 IP
  4. ads2help

    ads2help Peon

    Messages:
    2,142
    Likes Received:
    67
    Best Answers:
    1
    Trophy Points:
    0
    #4
    Since the method u use is GET

    
// Assign the query
$query = "SELECT * FROM bajaj_consent WHERE vehicle_no = '".mysql_real_escape_string($_GET['search'])."'";
    PHP:
    Use mysql_real_escape_string to avoid SQL Injection.

    You might need to check if the $_GET['search'] is valid before using it.
     
    ads2help, Jan 8, 2009 IP