Forms, $_POST and showing data between to numeric values

Report · Mar 20, 2010

Hi.

Really stuck with my SQL query.... pretty new to SQL so struggaling with this... heres my scenario..

I have a Form on a .php page that has drop down menus for a user to select options based on location, type of job and min. salary and max. salary. This then submits using the POST method the results of the options (using $_REQUEST) to a results.php page.

The text field queries work great.... with this query:-

SELECT jobs.clocation, jobs.Ref_id, jobs.RefCode, jobs.jobtitle, jobs.blurb, jobs.Consultant, jobs.Salary, jobs.tlocation, jobs.Sector, jobs.Type

FROM jobs

WHERE jobs.clocation = '$_REQUEST[clocation]' AND jobs.Sector = '$_REQUEST[Sector]' AND jobs.Type = '$_REQUEST[Type]'

....

Where I'm having problems is getting it to work with the values... I'd like them to be able to choose a Min Salary.. (the drop down menu includes options of 10000 , 20000, etc) and a Max Salary (again 10000 , 20000 etc) and then the results show any data between those values.

Cant figure out where I am going wrong.. please help

Thank you

Report · Mar 21, 2010

loopynutter wrote:
The text field queries work great.... with this query:-

Sure. And it works even better for a hacker. That is, perhaps, the most insecure piece of code I have seen in a long time.

First off, $_REQUEST is insecure because it contains POST, GET, and cookie values.

Next, you're injecting $_REQUEST values directly into your SQL query. Hackers will have a field day trashing your database. Take a look at http://en.wikipedia.org/wiki/SQL_injection to see the danger you're exposing yourself to.

If you're using the PHP mysql functions, you must pass your values first to mysql_real_escape_string(). You should also use $_POST or $_GET instead of $_REQUEST.

As for getting results between different values, use BETWEEN ... AND (http://dev.mysql.com/doc/refman/5.0/en/comparison-operators.html#operator_between).