Passing form variables to php does not work

Please see attached code

Looks blank to me....

--
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com - Template Triage!
http://www.projectseven.com/go - DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs, Tutorials & Resources
http://www.macromedia.com/support/search/ - Macromedia (MM) Technotes
==================


"The_FedEx_Guy" <webforumsuser@macromedia.com> wrote in message
news:f8sg59$jpg$1@forums.macromedia.com...
> Please see attached code

The_FedEx_Guy wrote:
> Please see attached code

Code attachments from the web forum are not displayed in a newsreader.
Paste your code into the body of the message.

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

Searchbox.php
--------------------------

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" " http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Untitled Document</title>
<style type="text/css">
<!--
.style1 { font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 12px;
}
.style2 { font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px;
}
.style7 {font-size: 9px}
-->
</style>
</head>

<body>
<p class="style1">Search Box </p>
<form action="search.php" method="get" name="form1">
<table width="200" border="0" cellpadding="0" cellspacing="0" class="style2">
<tr>
<td><table width="200" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="78"><span class="style7">Property Type </span></td>
<td width="122"><select name="PropType" id="PropType">
<option value="House">House</option>
<option value="Apartment">Apartment</option>
<option value="Commerical">Commerical</option>
</select>
</td>
</tr>
<tr>
<td><span class="style7">Bedrooms</span></td>
<td><select name="NoBeds" id="NoBeds">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
<option value="6">6</option>
</select>
</td>
</tr>
<tr>
<td><span class="style7">Location</span></td>
<td><select name="City" id="City">
<option value="Birmingham">Birmingham</option>
<option value="London">London</option>
<option value="Walsall">Walsall</option>
<option value="Wolverhampton">Wolverhampton</option>
</select>
</td>
</tr>
<tr>
<td class="style7">Max Price &pound;: </td>
<td><select name="maxPrice" id="maxPrice">
<option value="25.000">25.000</option>
<option value="50.000">50.000</option>
<option value="100.000">100.000</option>
<option value="150.000">150.000</option>
<option value="200.000">200.000</option>
<option value="250.000">250.000</option>
<option value="300.000">300.000</option>
<option value="350.000">350.000</option>
<option value="400.000">400.000</option>
<option value="450.000">450.000</option>
<option value="600.000">600.000</option>
<option value="900.000">900.000</option>
</select>
</td>
</tr>
<tr>
<td> </td>
<td><input name="Reset" type="reset" class="style2" value="Reset">
<input name="Submit" type="submit" class="style2" value="Submit"></td>
</tr>
</table></td>
</tr>
</table>
</form>

</body>
</html>

search.php
----------------

<?php require_once('Connections/db.php'); ?>


<html>
<head>
<title>United Properties & Management - Birmingham, West Midlands</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="keywords" content="united properties birmingham, west midlands, united, properties, management, to buy, to let, mortgages, soho road, soho, estate agents, homes, houses, commerical property">
<meta name="description" content="United Properties & Management are located on 194 Soho Road, Birmingham, B21 9LR, England. Tel: 0121 554 9000. The 1st Choice in property & management">


<style type="text/css">
<!--
.style1 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 12px;
}
.style2 {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px;
}
.style7 {font-size: 9px}
.style9 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; font-weight: bold; }
.style12 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; font-weight: bold; color: #FF0000; }
.style14 {font-size: 14}
.style15 {font-size: 14px}
.style16 {color: #FF0000;
font-weight: bold;
}
-->
</style>

</head>
<body bgcolor="#FFFFFF" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<!-- ImageReady Slices (mail2.psd) -->
<table width="753" height="578" border="0" align="center" cellpadding="0" cellspacing="0" id="Table_01">
<tr>
<td height="107" colspan="3" valign="top">
<img src="images/top.jpg" width="752" height="107" alt=""></td>
<td width="1">
<img src="images/spacer.gif" width="1" height="107" alt=""></td>
</tr>
<tr>
<td height="38" colspan="3"><?php include "navi2.php"; ?><td>
<img src="images/spacer.gif" width="1" height="6" alt=""></td>
</tr>
<tr>



</tr>
<tr>


</tr>
<tr>
<td width="4" rowspan="2" valign="top"><p class="style1"> </p>
</td>


</tr>
<tr>
<td width="744" valign="top"><table width="728" height="31" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="723"><img src="images/to_buy.gif" width="404" height="29"></td>
<td width="10"> </td>
</tr>
<tr>
<td valign="top"><div align="left"><?php
mysql_select_db($database_db, $db);

$PropType = $_GET['PropType'];
$NoBeds = $_GET['NoBeds'];
$City = $_GET['City'];
$maxPrice = $_GET['maxPrice'];

$query = "SELECT * FROM property WHERE B_R LIKE 'BUY' AND Accepted LIKE 'YES' AND PropType LIKE '$PropType' AND NoBeds LIKE '$NoBeds' And City LIKE '$City' AND Cost LIKE '<=$maxPrice'";
$result = mysql_query($query);
$num_results = mysql_num_rows($result);
echo "<p>Number of Properties Found: ".$num_results."</p>";

for ($i=0; $i <$num_results; $i++)
{
$row = mysql_fetch_array($result);
echo "<p><strong>" .($i+1)." . Address: ";
echo htmlspecialchars( stripslashes($row["Address"]));
echo "<p><strong>" .($i+1)." . Area: ";
echo htmlspecialchars( stripslashes($row["Area"]));
echo "<p><strong>" .($i+1)." . City: ";
echo htmlspecialchars( stripslashes($row["City"]));
echo "<p><strong>" .($i+1)." . Number of Bedrooms: ";
echo htmlspecialchars( stripslashes($row["NoBeds"]));
echo "<p><strong>" .($i+1)." . Price £: ";
echo htmlspecialchars( stripslashes($row["Cost"]));
echo "</p>";



?> <br>
</div></td>
<td> </td>
</tr>
<tr>
<td><div align="center">
</div></td>
<td> </td>
</tr>
</table></td>
<td width="4">
<img src="images/spacer.gif" width="1" height="139" alt=""></td>
</tr>
<tr>
<td colspan="3" background="images/menu.gif"><table width="458" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td> </td>
<td> </td>
<td><div align="center">
<table width="200" border="0" cellspacing="0" cellpadding="0">
<tr>
<td width="17"><img src="images/images/prop_list_01.gif" width="15" height="15"></td>
<td width="43"><img src="images/images/prop_list_02.gif" width="336" height="15"></td>
<td width="31"><img src="images/images/prop_list_03.gif" width="18" height="15"></td>
</tr>
<tr>
<td background="images/images/prop_list_04.gif"> </td>
<td bgcolor="#FFFFFF"><table width="200" border="0" align="center" cellpadding="0" cellspacing="0" class="style2">
<tr>
<td><div align="center"><a href="property.php?PropID=<? echo $row_Recordset1["PropID"]; ?>"><img src="images/<?php echo $row_Recordset1['Lrg_Image']; ?>" width="100" height="100" border="0"></a></div></td>
<td><div align="center"></div></td>
<td><div align="center"><a href="property.php?PropID=<? echo $row_Recordset1["PropID"]; ?>"><img src="images/<?php echo $row_Recordset1['Lrg_Image']; ?>" width="100" height="100" border="0"></a></div></td>
</tr>
<tr>
<td><div align="center"><?php echo $row_Recordset1['Area']; ?></div></td>
<td> </td>
<td><div align="center"><?php echo $row_Recordset1['Area']; ?></div></td>
</tr>
<tr>
<td><div align="center" class="style16"><?php echo $row_Recordset1['Cost']; ?></div></td>
<td> </td>
<td><div align="center" class="style16"><?php echo $row_Recordset1['Cost']; ?></div></td>
</tr>
</table></td>
<td background="images/images/prop_list_06.gif"> </td>
</tr>
<tr>
<td><img src="images/images/prop_list_07.gif" width="15" height="16"></td>
<td><img src="images/images/prop_list_08.gif" width="336" height="16"></td>
<td><img src="images/images/prop_list_09.gif" width="18" height="16"></td>
</tr>
</table>
</div></td>
<td> </td>
<td> </td>
</tr>
</table></td>
<td>
<img src="images/spacer.gif" width="1" height="58" alt=""></td>
</tr>
<tr>
<td colspan="3">
<img src="images/footer.gif" width="752" height="97" alt=""></td>
<td>
<img src="images/spacer.gif" width="1" height="97" alt=""></td>
</tr>
</table>
<!-- End ImageReady Slices -->

</body>
</html>

The_FedEx_Guy wrote:
> search.php
> ----------------

There's nothing wrong with the form variables. The problem is a missing
closing curly brace at the end of this for loop:

for ($i=0; $i <$num_results; $i++)
{
$row = mysql_fetch_array($result);
echo "<p> " .($i+1)." . Address: ";
echo htmlspecialchars( stripslashes($row["Address"]));
echo "<p>" .($i+1)." . Area: ";
echo htmlspecialchars( stripslashes($row["Area"]));
echo "<p> " .($i+1)." . City: ";
echo htmlspecialchars( stripslashes($row["City"]));
echo "<p>" .($i+1)." . Number of Bedrooms: ";
echo htmlspecialchars( stripslashes($row["NoBeds"]));
echo "<p> " .($i+1)." . Price ?: ";
echo htmlspecialchars( stripslashes($row["Cost"]));
echo "</p>";

} // <---------- missing brace

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

.oO(The_FedEx_Guy)

> [...]
> $PropType = $_GET['PropType'];
> $NoBeds = $_GET['NoBeds'];
> $City = $_GET['City'];
> $maxPrice = $_GET['maxPrice'];
>
> $query = "SELECT * FROM property WHERE B_R LIKE 'BUY' AND Accepted LIKE 'YES'
>AND PropType LIKE '$PropType' AND NoBeds LIKE '$NoBeds' And City LIKE '$City'
>AND Cost LIKE '<=$maxPrice'";

Uh ... that's really ugly:

* Why "LIKE 'BUY'" and "LIKE 'YES'"? You're comparing strings without
wildcards, there's no need for a LIKE operator.

* The "LIKE '<=$maxPrice'" problem was answered in the other thread.

* You should definitely read about SQL injection and how to prevent it.

Micha

Michael Fesser wrote:
>> $query = "SELECT * FROM property WHERE B_R LIKE 'BUY' AND Accepted LIKE 'YES'
>> AND PropType LIKE '$PropType' AND NoBeds LIKE '$NoBeds' And City LIKE '$City'
>> AND Cost LIKE '<=$maxPrice'";
>
> Uh ... that's really ugly:

I agree. I didn't have time to study the SQL first time round, and just
concentrated on why the variables weren't being passed.

> * You should definitely read about SQL injection and how to prevent it.

Absolutely.

http://www.php.net/manual/en/security.database.sql-injection.php

The current code is wide open to attack. A simple way of correcting it
would be like this:

<?php
// remove magic quotes if they have been inserted
if (get_magic_quotes_gpc()) {
$_GET['PropType'] = stripslashes($_GET['PropType']);
$_GET['NoBeds'] = stripslashes($_GET['NoBeds']);
$_GET['City'] = stripslashes($_GET['City']);
$_GET['maxPrice'] = stripslashes($_GET['maxPrice']);
}

// make $_GET variables safe for use in SQL query
$PropType = mysql_real_escape_string($_GET['PropType']);
$NoBeds = mysql_real_escape_string($_GET['NoBeds']);
$City = mysql_real_escape_string($_GET['City']);
$maxPrice = mysql_real_escape_string($_GET['maxPrice']);

// build SQL query
$query = "SELECT * FROM property WHERE B_R = 'BUY'
AND Accepted = 'YES'
AND PropType = '$PropType'
AND NoBeds = '$NoBeds'
AND City = '$City'
AND Cost <=$maxPrice";

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/