Klaus Andersen
asked on
Exclude first HTML filter option in SQL query
Hi there,
I think my current problem is simple but at the moment I cant figure out how to solve it.
I imagine that an option could be IF statement but I think there must to be something more simple.
I have a query that takes a keyword, a category and a region from the html search form
What I need to do is that the query will run only if category AND region value is a number.
So, the query should omit the value for this
So, if the user search for a keyword with the filters by default (any sector) (any region)
The query will omit the value for those filters.
This is an extract of the code
I think my current problem is simple but at the moment I cant figure out how to solve it.
I imagine that an option could be IF statement but I think there must to be something more simple.
I have a query that takes a keyword, a category and a region from the html search form
What I need to do is that the query will run only if category AND region value is a number.
So, the query should omit the value for this
<option value="" selected>Any sectors</option>
and this: <option value="" selected>Any region</option>
So, if the user search for a keyword with the filters by default (any sector) (any region)
The query will omit the value for those filters.
This is an extract of the code
<!-- ADDED A DEFAULT SELECTION -->
<option value="" selected>Any sectors</option>
<option value="1">Aerospace & Transportation</option>
<option value="2">Automotive</option>
<option value="3">Banking, Finance & Real Estate</option>
<option value="4">Basic Materials</option>
<option value="5">Business & Government</option>
<option value="7">Construction & Heavy Industry</option>
<option value="6">Consumer Goods & Retail</option>
<option value="8">Energy & Utilities</option>
<option value="9">Food & Drink</option>
<option value="10">Information Technology</option>
<option value="11">Media & Leisure</option>
<option value="12">Pharma & Healthcare</option>
<option value="13">Telecomunication</option>
</select>
<label for="regions">Select Region:</label>
<select name="regions" id="regions">
<!-- ADDED A DEFAULT SELECTION -->
<option value="" selected>Any region</option>
<option value="1">Africa</option>
<option value="3">Asia</option>
<option value="24">Australia and New Zealand</option>
<option value="12">Central America</option>
<option value="20"> Central and Eastern Europe</option>
<option value="15">Central Asia</option>
<option value="16">East Asia</option>
<option value="4">Europe</option>
<option value="19">Middle East</option>
<option value="8">North Africa</option>
<option value="13">North America</option>
<option value="14">South America</option>
<option value="17">South Asia</option>
<option value="18">South East Asia</option>
<option value="23">Western Europe</option>
<option value="0">Global </option>
</select>
</p>
<p> </p>
<p>
<input type="radio" name="radio" id="boton1" value="1" checked="checked" />
<label for="boton1">market reports</label>
<input type="radio" name="radio" id="boton2" value="2" />
<label for="boton2">swots</label>
<input type="radio" name="radio" id="boton3" value="3" />
<label for="boton3">all content</label>
</p>
<!-- ADDED A SUBMIT CONTROL -->
<p>
<input type="submit" />
</p>
</form>
</div>
</body>
<?php
error_reporting(E_ALL);
$db_host = "****";
$db_user = "***";
$db_word = "***";
$db_name = "***";
$db_port = "***";
$mysqli = new mysqli($db_host, $db_user, $db_word, $db_name, $db_port);
// DID THE CONNECT/SELECT WORK OR FAIL?
if ($mysqli->connect_errno)
{
$err
= "CONNECT FAIL: "
. $mysqli->connect_errno
. ' '
. $mysqli->connect_error
;
trigger_error($err, E_USER_ERROR);
}
// RUN THE ACTION SCRIPT IF THE REQUEST HAS BEEN SUBMITTED
if (!empty($_GET))
{
// SECTOR / REGION INDEX REPORT ELEMENTS
$id_cat = $_GET['categories'];
$id_reg = $_GET['regions'];
// SEARCH KEYWORD
$keyword = $_GET['keyword'];
// TABLES TO BE SEARCHED
switch ($_GET['radio'])
{
case 1:
$sql = "SELECT id,name,organizer_id,no_pages,publication_date,price,currency FROM reports AS T1, sector_index_reports AS T2, country_index_reports AS T3
WHERE T2.id_cat = '$id_cat' AND (T1.id=T2.id_obiekt) AND (T3.id_cat= '$id_reg') AND (T1.id=T3.id_obiekt) AND name LIKE '%$keyword%'" ;
break;
ASKER
Thanks @GaryC123. Unfortunately didn´t work, am I doing something wrong?
This is what I have
HTML
PHP
This is what I have
HTML
<!-- ADDED A DEFAULT SELECTION -->
<option value="" selected>Any sector</option>
<option value="1">Aerospace & Transportation</option>
<option value="2">Automotive</option>
<option value="3">Banking, Finance & Real Estate</option>
<option value="4">Basic Materials</option>
<option value="5">Business & Government</option>
<option value="7">Construction & Heavy Industry</option>
<option value="6">Consumer Goods & Retail</option>
<option value="8">Energy & Utilities</option>
<option value="9">Food & Drink</option>
<option value="10">Information Technology</option>
<option value="11">Media & Leisure</option>
<option value="12">Pharma & Healthcare</option>
<option value="13">Telecomunication</option>
</select>
<label for="regions">Select Region:</label>
<select name="regions" id="regions">
<!-- ADDED A DEFAULT SELECTION -->
<option value="" selected>Any region</option>
<option value="1">Africa</option>
<option value="3">Asia</option>
<option value="24">Australia and New Zealand</option>
<option value="12">Central America</option>
<option value="20"> Central and Eastern Europe</option>
<option value="15">Central Asia</option>
<option value="16">East Asia</option>
<option value="4">Europe</option>
<option value="19">Middle East</option>
<option value="8">North Africa</option>
<option value="13">North America</option>
<option value="14">South America</option>
<option value="17">South Asia</option>
<option value="18">South East Asia</option>
<option value="23">Western Europe</option>
</select>
PHP
if (!empty($_GET))
{
// SECTOR / REGION INDEX REPORT ELEMENTS
// SECTOR / REGION INDEX REPORT ELEMENTS
$id_cat = $_GET['categories']!='Any sector'?$_GET['categories']:'%';
$id_reg = $_GET['regions']!='Any region'?$_GET['regions']:'%';
Yes, it's an if() statement or two. The example from GaryC123 uses the ternary operator, which is a form of if() statement.
A wise programmer would have a filter function for each external variable to ensure that the input from external variables is one of the acceptable values for that particular variable. You might write your own function, or add it as a class method. You could check to see if the value was a number, but that would not tell you that it was a number from your form. As with most things in security and logic, you make tradeoffs between convenience and safety.
This might be useful to shape your thinking about external variables.
http://php.net/manual/en/language.variables.external.php
And this is required reading, every single link.
http://php.net/manual/en/security.php
From this and your other EE questions I really think you would get a lot of value out of this book:
http://www.amazon.com/PHP-MySQL-Web-Development-Edition/dp/0321833899
A wise programmer would have a filter function for each external variable to ensure that the input from external variables is one of the acceptable values for that particular variable. You might write your own function, or add it as a class method. You could check to see if the value was a number, but that would not tell you that it was a number from your form. As with most things in security and logic, you make tradeoffs between convenience and safety.
This might be useful to shape your thinking about external variables.
http://php.net/manual/en/language.variables.external.php
And this is required reading, every single link.
http://php.net/manual/en/security.php
From this and your other EE questions I really think you would get a lot of value out of this book:
http://www.amazon.com/PHP-MySQL-Web-Development-Edition/dp/0321833899
Sigh. You can use var_dump($_GET) to learn what is appearing in your script.
Each form input control produces two important data elements in the request. The first is the name= attribute from the HTML input. This appears in the request in the associative array index. The second is the value= attribute. This appears in the associative array value.
Each form input control produces two important data elements in the request. The first is the name= attribute from the HTML input. This appears in the request in the associative array index. The second is the value= attribute. This appears in the associative array value.
I only posted the relevant snippet of your code that needed amending, you still need the rest of it if that really is all you have for your PHP code.
ASKER
@Ray, I´m approaching to the general solution of my search engine. Has been a bit pain and
lot of time around the topic. As you know I´m new in PHP/Mysql programming.
Thanks for the permanent support!
lot of time around the topic. As you know I´m new in PHP/Mysql programming.
Thanks for the permanent support!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@_PJ_
Are you including the rest of your PHP code?
Are you including the rest of your PHP code?
ASKER
@Ray, @GaryC123
This is how I solved it so far:
HTML
PHP
This is how I solved it so far:
HTML
<option value="any" selected>Any sector</option>
<option value="1">Aerospace & Transportation</option>
<option value="2">Automotive</option>
<option value="3">Banking, Finance & Real Estate</option>
<option value="4">Basic Materials</option>
<option value="5">Business & Government</option>
<option value="7">Construction & Heavy Industry</option>
<option value="6">Consumer Goods & Retail</option>
<option value="8">Energy & Utilities</option>
<option value="9">Food & Drink</option>
<option value="10">Information Technology</option>
<option value="11">Media & Leisure</option>
<option value="12">Pharma & Healthcare</option>
<option value="13">Telecomunication</option>
</select>
<label for="regions">Select Region:</label>
<select name="regions" id="regions">
<!-- ADDED A DEFAULT SELECTION -->
<option value="any" selected>Any region</option>
<option value="1">Africa</option>
<option value="3">Asia</option>
<option value="24">Australia and New Zealand</option>
<option value="12">Central America</option>
<option value="20"> Central and Eastern Europe</option>
<option value="15">Central Asia</option>
<option value="16">East Asia</option>
<option value="4">Europe</option>
<option value="19">Middle East</option>
<option value="8">North Africa</option>
<option value="13">North America</option>
<option value="14">South America</option>
<option value="17">South Asia</option>
<option value="18">South East Asia</option>
<option value="23">Western Europe</option>
<option value="0">Global </option>
</select>
PHP
if ($id_cat != 'any' AND $id_reg!='any') {
$sql = "SELECT id,name,organizer_id,no_pages,publication_date,price,currency FROM reports AS T1, sector_index_reports AS T2, country_index_reports AS T3 WHERE T2.id_cat = '$id_cat' AND (T1.id=T2.id_obiekt) AND (T3.id_cat= '$id_reg') AND (T1.id=T3.id_obiekt) AND name LIKE '%$keyword%'" ; }
else if ($id_cat != 'any' AND $id_reg =='any') {
$sql = "SELECT id,name,organizer_id,no_pages,publication_date,price,currency FROM reports AS T1, sector_index_reports AS T2 WHERE T2.id_cat = '$id_cat' AND (T1.id=T2.id_obiekt) AND name LIKE '%$keyword%'" ; }
else if ($id_cat == 'any' AND $id_reg!='any') {
$sql = "SELECT id,name,organizer_id,no_pages,publication_date,price,currency FROM reports AS T1, country_index_reports AS T2 WHERE
(T2.id_cat= '$id_reg') AND (T1.id=T2.id_obiekt) AND name LIKE '%$keyword%'" ; }
else { $sql = "SELECT id,name,organizer_id,no_pages,publication_date,price,currency FROM reports WHERE name LIKE '%$keyword%'" ; }
Yes, that is sure to get you hacked. You should be following the guideline to Accept Only Known Good Values. If you look for "any" and decide to use whatever is there so long as it's not "any" you're just begging for trouble.
A better strategy would be to make a list of acceptable values, perhaps in an array, and check the inputs to see if the values your script received are actually in the array. If the input values are not in the array, your script is under attack, so you would never use those external values in a query.
A better strategy would be to make a list of acceptable values, perhaps in an array, and check the inputs to see if the values your script received are actually in the array. If the input values are not in the array, your script is under attack, so you would never use those external values in a query.
ASKER
Today I will take a look how to solve this in a safest way. Actually I'm trying to give solution to this kind of issues with the knowledge I have, and you know i still need to learn many things, but I keep on working!
Thanks Ray!
Thanks Ray!
Here's an example of verifying external input by comparing it to known good (internal) values.
<?php // RAY_post_and_confirm.php
error_reporting(E_ALL);
// SHOW HOW TO USE A PRE-DEFINED ARRAY OF VALUES TO CREATE A FORM AND TO VALIDATE THE INPUT FROM THE FORM
// THE CLIENT IS ASKED TO PROVIDE THE INPUT, THEN CONFIRM THAT THE VALUES ARE OK
// THE ARRAY OF ACCEPTABLE VALUES
$good_values
= array
( 'Red'
, 'Green'
, 'Blue'
)
;
// NORMALIZED FORMATTING OF THE CHOSEN COLOR, IF ANY
$color = isset($_POST["color"]) ? $color = ucfirst(strtolower($_POST["color"])) : $color = "";
// THE ACTION SCRIPT -- IF THE FORM HAS BEEN FILLED IN FOR FINAL SUBMISSION
if (!empty($_POST["final_submit"]))
{
// IF THE VALUE IS ACCEPTABLE
if (in_array($color, $good_values))
{
// SEND THE EMAIL HERE AND PRODUCE THE THANK-YOU PAGE
echo "YOU CHOSE $color -- THANKS ";
die ("EMAIL SENT");
}
// IF THE VALUE IS NOT ACCEPTABLE, REQUIRE A NEW VERIFICATION AND ISSUE AN ERROR MESSAGE
else
{
echo "<br/>ERROR: $color IS NOT ONE OF ";
echo implode(', ', $good_values);
unset($_POST["verify_submit"]);
$color = '';
}
}
// THE ACTION SCRIPT -- IF THE FORM HAS BEEN FILLED IN FOR VERIFICATION PRIOR TO SUBMISSION
if (!empty($_POST["verify_submit"]))
{
// IF THE VALUE IS ACCEPTABLE
if (in_array($color, $good_values))
{
// TELL THE CLIENT THAT THE VERIFICATION IS OK
echo "<br/>YOU CHOSE $color -- YOUR CHOICE HAS BEEN VERIFIED ";
echo "<br/>YOU CAN NOW USE THE 'SEND EMAIL' BUTTON BELOW";
}
// IF THE VALUE IS NOT ACCEPTABLE, REQUIRE A NEW VERIFICATION AND ISSUE AN ERROR MESSAGE
else
{
echo "<br/>ERROR: $color IS NOT ONE OF ";
echo implode(', ', $good_values);
unset($_POST["verify_submit"]);
$color = '';
}
}
// THE ORIGINAL FORM SCRIPT -- GENERATE THE HTML FORM TO RECEIVE THE DATA
echo "<form method=\"post\">";
echo "ENTER A COLOR -- ";
echo implode(', ', $good_values);
echo "<br/><input name=\"color\" value=\"$color\" />";
// IF THE DATA HAS NOT BEEN SUCCESSFULLY VERIFIED
if (!isset($_POST["verify_submit"]))
{
echo "<br/><input name=\"verify_submit\" value=\"VERIFY MY ENTRY\" type=\"submit\" />";
}
// IF THE DATA HAS BEEN SUCCESSFULLY VERIFIED
if (isset($_POST["verify_submit"]))
{
echo "<br/><input name=\"final_submit\" value=\"SEND EMAIL\" type=\"submit\" />";
}
echo "</form>";
Open in new window