0

Hi i'm creating a site with a search box this is already done in asp and im redoing it in php (which I am new too) and it will take you to another page where it searches the db using sql. The search-process.php file is below

<?php
$db = realpath("db\unibookv2.mdb");
$conn = new COM('ADODB.Connection') or exit('Cannot start ADO.');
$connStr = "PROVIDER=Microsoft.Jet.OLEDB.4.0;
Data Source=$db";
$conn->Open($connStr);



$sql = "SELECT * FROM ubuser WHERE usr_firstname LIKE '%" . $_REQUESTS['searchinput'] .  "%' OR usr_lastname LIKE '%" . $_REQUESTS['searchinput'] . "%' ORDER BY '%" . $_REQUESTS['orderlist'] . "%' ";

$userRs = $conn->Execute($sql);
if (!$userRs)
    {exit("DBMS Error..!");}
?>


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>PHP Search Results - ADO-COM connection!</title>
<meta http-equiv="content-type" content="application/xhtml+xml; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="css/unibookStyle.css" />
</head>
<!-- #include FILE="include/header.asp") -->


<body>
<div id="container"><!-- start container -->

<h2>USER DATABASE</h2>

<!-- start of dynamic html page -->
<h2>PHP/ADO-COM (MS Access) basic parameterised example</h2>
<h3>You searched for : '<?php echo $_REQUEST['searchinput']; ?>' - 

<hr align="left" width="658" />

<?php
// example of testing for EOF in resultset  
if (!$userRs->EOF)
{
echo "one or more records found<br />";
}
else
{
echo "sorry, no records found<br />";
}
?>

<!-- start of html table -->
    <table border="0" width="758" cellspacing="0" cellpadding="3">

    <!-- create the first (heading) row in standard HTML -->
    <tr class="tableheading">
        <td><b>Usr_id</b></td><td><b>firstname</b></td><td>&nbsp;<b>lastname</b></td><td>&nbsp;</td>

    </tr>
<!-- loop in PHP to retrieve all records -->
<?php
    $nrecs=0;
    while (!$userRs->EOF) { 
    $nrecs++;   
    ?>
    <tr>
    <!-- use in-line PHP to display the data -->
        <td><?php echo $userRs->Fields['usr_id']->Value ?></td>
        <td><?php echo $userRs->Fields['usr_firstname']->Value ?></td>
        <td><?php echo $userRs->Fields['usr_lastname']->Value ?></td>
    </tr>
    <!-- important line as it moves the resultset 'cursor' -->
    <?php $userRs->MoveNext() ?>
<?php } ?>
</table>


<?php
// close and destroy object instances
$userRs->Close();
$conn->Close();

$userRs = null;
$conn = null;

// display records found to page
echo "<br />Number of records found: " . $nrecs;
?>

<p>&nbsp;</p>
<hr align="left" width="658">

<input type="button" value="< Back to Search Page" OnClick="top.location='default.asp'">

<!-- #include FILE="include/sidebar.asp") -->

<!-- #include FILE="include/footer.asp") -->
</div>
<!-- end main page content -->

</body>
</html>

This is the error I am getting about the variables being undefined, im assuming this is the "[searchinput]" twice and once for the "[orderlist]"

Notice: Undefined variable: _REQUESTS in H:\STUDENT\S0190204\part1\search-process.php on line 10 Notice: Undefined variable: _REQUESTS in H:\STUDENT\S0190204\part1\search-process.php on line 10 Notice: Undefined variable: _REQUESTS in H:\STUDENT\S0190204\part1\search-process.php on line 10

Other problems are the search term used does not work and the order by also, but i have a feeling these problems are going to be solved by the same thing

4

1 に答える 1

5

値を直接使用しているため、 SQL インジェクションにも注意し$_REQUESTてください。準備ステートメントを使用して、SQL インジェクションを防ぎます。$_REQUESTS

ドキュメントから

$_REQUEST は、デフォルトで $_GET の内容を含む連想配列です。

$_POST と $_COOKIE。$_REQUEST の変数は、GET、POST、および COOKIE 入力メカニズムを介してスクリプトに提供されるため、リモート ユーザーによって変更される可能性があり、信頼できません。この配列にリストされる変数の存在と順序は、PHP の variables_order 構成ディレクティブに従って定義されます。

詳細については、php のドキュメント を参照してください。

于 2013-11-06T13:00:08.430 に答える