Solved

mysql / php form works on internet but not on intranet

Posted on 2011-09-18
6
357 Views
Last Modified: 2012-08-14
I am continuing my attempt to port an established web site with mysql backend to an intranet site.  To date I have established the database and web site, with tables and data, on a stand-alone Windows 7/Wamp setup.

The intranet web site functions correctly.  I can access the database from phpmyadmin however, when I attempt to use the intranet form (php/html) to access the database I am getting an "Undefined variable" error returned.

I have made several corrections based on the "Experts" feedback.  I now need some additional assistance


Specifics:

      Internet:      MySQL 5.0, PHP 5, Apache on Linux Server

      Intranet:      MySQL 5.0.7, PHP 5.3.5, Apache 2.2.17, on Windows 7


      Error:             Undefined variable: search1 in C:\wamp\www\part\edit_pprq1.php on line 11
             Undefined variable: search2 in C:\wamp\www\part\edit_pprq1.php on line 11
 
      Code:        8.      $search=mysql_real_escape_string($_POST['search1']);
                        9.      $search=mysql_real_escape_string($_POST['search2']);
        10.      
        11.       $data = 'SELECT * FROM `PPRQ` WHERE `FN` = "'.$search1.'"
                                             AND `LN` = "'.$search2.'"';

0
Comment
Question by:dibrandt
  • 3
  • 2
6 Comments
 
LVL 10

Expert Comment

by:acbxyz
ID: 36556657
It seems you have register_globals turned on on your intranet. From security and clean programming this is not a good idea.

I think in line 8 and 9, you wanted to assign the escaped strings to $search1 and $search2 instead of $search both times. This way the mysql_real_escape_string doesn't do anything useful.
0
 
LVL 2

Expert Comment

by:montasirma
ID: 36556754
Can you change the single quotes on lines 8 and 9 to double quotes, and add an echo for the search1 and search2 variables?

echo $_POST["search1"] ."<BR>\n";
$search=mysql_real_escape_string($_POST["search1"]);
echo $_POST["search2"] ."<BR>\n";
$search=mysql_real_escape_string($_POST['search2']);

Open in new window

0
 
LVL 2

Expert Comment

by:montasirma
ID: 36556774
Sorry, I misread the post.

You are assigning the $_POST variables into the same $search variable.

You should change the code to match the following:

$search1 = mysql_real_escape_string($_POST["search1"]);
$search2 = mysql_real_escape_string($_POST['search2']);

$data = 'SELECT * FROM PPRQ WHERE FN = "'. $search1 .'" AND LN = "'. $search2 .'"'; 

Open in new window

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 10

Accepted Solution

by:
acbxyz earned 500 total points
ID: 36556776
...as I said before ;-)
0
 

Author Comment

by:dibrandt
ID: 36556952
acbxyz,

this is what I understand you to have said:

  8.      $search1=mysql_real_escape_string($_POST['search1']);
  9.      $search2=mysql_real_escape_string($_POST['search2']);
 10.      
 11.       $data = 'SELECT * FROM `PPRQ` WHERE `FN` = "'.$search1.'"
                                             AND `LN` = "'.$search2.'"';


montasirma,

I am confused.  in line 1 you have double quotes, and in line 2 you have single quotes.  is this correct?

It would also appear that you have assigned "FN" and "LN" to $search1, is this correct?
0
 
LVL 10

Expert Comment

by:acbxyz
ID: 36557015
Your last code is correct.

In this case it is unimportant if you use single or double quotes. Difference is, if you use a variable within your code or special chars like \r or \n. While in strings with double quote these will be replaced by the value of the variable or a line feed (\n => chr(10)) strings with single quotes will be taken as they are.
See http://php.net/manual/en/language.types.string.php for more information

The assignment of search1 to FN and search2 to LN is correct in all postings shown, even though in your opening question not filtered through mysql_real_escape_string.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Fore-Foreword Today (2016) Maxmind has a new approach to the distribution of its data sets.  This article may be obsolete.  Instead of using the examples here, have a look at the MaxMind API (https://www.maxmind.com/en/geolite2-developer-package). …
Introduction Since I wrote the original article about Handling Date and Time in PHP and MySQL (http://www.experts-exchange.com/articles/201/Handling-Date-and-Time-in-PHP-and-MySQL.html) several years ago, it seemed like now was a good time to updat…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now