On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
From: Jason Pruim <japruim@xxxxxxxxxx>
Here is the relevant code (I think...)
$search = $_GET["search"];
$self = $_SERVER['PHP_SELF'];
$qstring = "SELECT * FROM current WHERE FName like '%$qstring%'
or LName like '%$qstring%' or Add1 like '%$qstring%' or Add2 like
'% $qstring%' or City like '%$qstring%' or State like '%$qstring%'
or Zip like '%$qstring%' or XCode like '%qstring%'";
Perhaps you meant
like '%$search%'
instead of
like '%$qstring%' multiple times?
Actually I did, Need to proof read my code a little bit more when I
copy/paste it from another project...
I fixed that but the problem still remains... When I preform the
search I get redirected from index.php to edit.php and can't see
where that would happen.
Also read http://en.wikipedia.org/wiki/SQL_injection
I have read about SQL injection, and I will be scrubbing the data
before searching but the search is only available after logging into
the system. No one who isn't logged in can even view the page :)
_________________________________________________________________
Gear up for Halo® 3 with free downloads and an exclusive offer.
http://gethalo3gear.com?ocid=SeptemberWLHalo3_MSNHMTxt_1
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
japruim@xxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
