TalkPHP
 
 
Account Login
Latest Articles
» The basic usage of PHPTAL, a XML/XHTML template library for PHP
» Vulnerable methods and the areas they are commonly trusted in.
» Simple way to protect a form from bot
» The Basics On: How Session Stealing Works
» How to keep your forms from double posting data
Advertisement
Associates
Associates
techtuts Darkmindz
CSS Tutorials Tutorialsphere.com - Free Online Tutorials
Boston PHP SurfnLearn
Reply
 
LinkBack Thread Tools Display Modes
Old 10-05-2007, 07:42 PM   #1 (permalink)
The Gregarious
Upcoming Programmer Inquisitive 
 
Join Date: Sep 2007
Posts: 652
Thanks: 82
Tanax is on a distinguished road
Default Need your feedback

Yea, this isn't working.. no idea why.

search.html

HTML Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
	<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
	<meta name="author" content="Tanax">
	<script src="AJAXsearch.js"></script>
	<title>Search</title>
</head>

<body>

<h1>Search:</h1>

<form>
<input type="text" name="search" onkeyup="search(this.value)">
</form>

<p>
<div id="results"><b>You can search for guilds, players, levels and vocations!</b></div>
</p>

</body>
</html>
AJAXsearch.js
Code:
var xmlHttp

function search(string) { 

	xmlHttp = GetXmlHttpObject()
	
	if(xmlHttp == null) {
	
 		alert("Your browser does not support HTTP requests!")
 		return
 
	}
	
	var url = "search.php"
	var url = url+"?keyword="+str
	var url = url+"&sid="+Math.random()
	xmlHttp.onreadystatechange = stateChanged
	xmlHttp.open("GET", url, true)
	xmlHttp.send(null)

}

function stateChanged() { 
	
	if(xmlHttp.readyState == 4 || xmlHttp.readyState == "complete") { 
		
 		document.getElementById("results").innerHTML = xmlHttp.responseText
 	
	} 

}

function GetXmlHttpObject() {

	var xmlHttp = null
	
	try	{
 
 		// Firefox, Opera 8.0+, Safari
 		xmlHttp = new XMLHttpRequest()
 
 	}

	catch (e) {
 
 		//Internet Explorer
 		try {
 			
  			xmlHttp = new ActiveXObject("Msxml2.XMLHTTP")
  
  		}
  		
 		catch (e) {
 			
  			xmlHttp = new ActiveXObject("Microsoft.XMLHTTP")
  
  		}
 
 	}
 	
	return xmlHttp

}
search.php
PHP Code:
<?php
    
    
include('config.php');
    
$get $_GET["keywords"];
    
    if (isset(
$get) && $get != "") {
        
        
$search urldecode($get);
        
        
$search $system->db->makesafe($search);
        
        
        
$pSql sprintf("SELECT * FROM ".$system->db->table['players']." WHERE name LIKE %1$s OR level LIKE %1$s OR vocation LIKE %1$s",
        %
$search%);    
        
$pResult $system->db->query($pSql);
        
        
        
$gSql sprintf("SELECT * FROM ".$system->db->table['guilds']." WHERE name LIKE %s", %$search%);
        
$gResult $system->db->query($gSql);
        
        if (
mysql_num_rows($pResult) != 0) {
            
            echo 
'<h1>Players:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($pResult). ' results.</div><br />';
            echo 
'<table><tr>';
            echo 
'<td>Result</td>';
            echo 
'<td>Name</td>';
            echo 
'<td>Level</td>';
            echo 
'<td>Vocation</td></tr>';
            
            for (
$i 1$player mysql_fetch_object($pResult); $i++) {
                
                echo 
'<tr>';
                echo 
'<td>' .$i'</td>';
                echo 
'<td>' .$player->name'</td>';
                echo 
'<td>' .$player->level'</td>';
                echo 
'<td>' .$player->vocation'</td>';
                echo 
'</tr>';
                
            }
            
            echo 
'</table>';
            
        }
        
        else {
            
            echo 
'<h1>Players:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($pResult). ' results.</div><br />';
            
        }
        
        if (
mysql_num_rows($gResult) != 0) {
            
            echo 
'<h1>Guilds:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($gResult). ' results.</div><br />';
            echo 
'<table><tr>';
            echo 
'<td>Result</td>';
            echo 
'<td>Name</td>';
            echo 
'<td>Owner</td></tr>';
            
            for (
$i 1$guild mysql_fetch_object($gResult); $i++) {
                
                
$system->player->load($guild->ownerid);
                
$name $system->player->getName();
                
                echo 
'<tr>';
                echo 
'<td>' .$i'</td>';
                echo 
'<td>' .$guild->name'</td>';
                echo 
'<td>' .$name'</td>';
                echo 
'</tr>';
                
            }
            
            echo 
'</table>';
            
        }
        
        else {
            
            echo 
'<h1>Guilds:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($pResult). ' results.</div><br />';
            
        }
        
    }
    
    else {
        
        echo 
"You can search for guilds, players, levels and vocations!";
        
    }

?>
When I write something, NOTHING gets up :S
I haven't actually created the table players yet, but that shouldn't matter, it should change the results div message to a db error message in that case.
Tanax is offline  
Reply With Quote
Old 10-05-2007, 09:21 PM   #2 (permalink)
Moderateur
RegEx Guru PHP Guru Top Contributor Advanced Programmer 
 
Salathe's Avatar
 
Join Date: Apr 2007
Posts: 700
Thanks: 2
Salathe is on a distinguished road
Default

Code:
// JavaScript line 15
var url = url+"?keyword="+str

// PHP line 4
$get = $_GET["keywords"];
For starters, the two keys are different (keyword/keywords) which really won't help at all.

Also, why do you keep putting %$search% (I've noticed this in other topics)? That'll produce a syntax error because the percent symbols just aren't allowed to be used like that.

Since you're using sprintf anyway, why not put the table name as an argument? (e.g, SELECT * FROM %2$s...)

Depending on your php.ini settings, if you don't pass along the keywords in the query string then the PHP engine will raise a Notice error ("Undefined index") -- it's trivial to check if the key exists before trying to assign it's value to a variable.

In your JavaScript, with regards to the multiple "var url", you only need to use var the first time to declare url as a variable local to that function. On line 15, quoted at the top of this post, you make reference to a str variable but the function argument is called string. I'd love to see you using semi-colons at the end of the lines but that's just a personal preference.

That's it for starters, I haven't even looked at the code in more than a brief manner but the above should get you moving along a bit.
__________________
Salathe is offline  
Reply With Quote
Old 10-05-2007, 09:48 PM   #3 (permalink)
The Gregarious
Upcoming Programmer Inquisitive 
 
Join Date: Sep 2007
Posts: 652
Thanks: 82
Tanax is on a distinguished road
Default

Yea, but it's like the htm file doesn't even connect with the js file, because the div id result value doesn't change when I type in something.

Even if the php file is wrong, and that I did some query wrong, the mysql error should still be visible under the searchform :S
Tanax is offline  
Reply With Quote
Old 10-05-2007, 10:51 PM   #4 (permalink)
Moderateur
RegEx Guru PHP Guru Top Contributor Advanced Programmer 
 
Salathe's Avatar
 
Join Date: Apr 2007
Posts: 700
Thanks: 2
Salathe is on a distinguished road
Default

Give your search function a different name. That, along with making the argument str instead of "string", should help.
__________________
Salathe is offline  
Reply With Quote
Old 10-05-2007, 11:16 PM   #5 (permalink)
The Gregarious
Upcoming Programmer Inquisitive 
 
Join Date: Sep 2007
Posts: 652
Thanks: 82
Tanax is on a distinguished road
Default

Okey, I got this to so that the JS at least shows up:

HTML Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
	<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
	<meta name="author" content="Tanax">
	<script src="AJAXsearch.js"></script>
	<title>Search</title>
</head>

<body>

<h1>Search:</h1>

<form>
<input type="text" onkeyup="search(this.value)">
</form>

<p>
<div id="txtHint"><b>You can search for guilds, players, levels and vocations!</b></div>
</p>

</body>
</html>
Code:
var xmlHttp

function search(str) { 
	
	xmlHttp=GetXmlHttpObject()
	
	if (xmlHttp==null) {
 
 		alert ("Browser does not support HTTP Request")
 
 		return
 
 	}
 	
	var url="search.php"
	url=url+"?keyword="+str
	url=url+"&sid="+Math.random()
	xmlHttp.onreadystatechange=stateChanged 
	xmlHttp.open("GET",url,true)
	xmlHttp.send(null)
	
}

function stateChanged() { 

	if (xmlHttp.readyState == 4 || xmlHttp.readyState == "complete") {
		
 		document.getElementById("txtHint").innerHTML = xmlHttp.responseText 
 
 	} 

}

function GetXmlHttpObject() {

	var xmlHttp=null;
	try {
		
 		// Firefox, Opera 8.0+, Safari
 		xmlHttp = new XMLHttpRequest();
 
 	}

	catch (e) {
		
 		//Internet Explorer
 		try {
 		
  			xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
  
  		}
 
 		catch (e) {
 		
  			xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
  
  		}
 
 	}
 	
	return xmlHttp;
	
}
PHP Code:
<?php

include('config.php');
    
$get $_GET["keyword"];
    
    if (isset(
$get) && $get != "") {
        
        
$search urldecode($get);
        
        
$search $system->db->makesafe($search);
        
        
        
$pSql sprintf("SELECT * FROM %1$s WHERE name LIKE %s OR level LIKE %s OR vocation LIKE %s",
        
$table['players'],
        
'%'.$search.'%',
        
'%'.$search.'%',
        
'%'.$search.'%');    
        
$pResult $system->db->query($pSql);
        
        
        
$gSql sprintf("SELECT * FROM %s WHERE name LIKE %s"
        
$table['guilds'],
        
'%'.$search.'%');
        
$gResult $system->db->query($gSql);
        
        if (
mysql_num_rows($pResult) != 0) {
            
            echo 
'<h1>Players:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($pResult). ' results.</div><br />';
            echo 
'<table><tr>';
            echo 
'<td>Result</td>';
            echo 
'<td>Name</td>';
            echo 
'<td>Level</td>';
            echo 
'<td>Vocation</td></tr>';
            
            for (
$i 1$player mysql_fetch_object($pResult); $i++) {
                
                echo 
'<tr>';
                echo 
'<td>' .$i'</td>';
                echo 
'<td>' .$player->name'</td>';
                echo 
'<td>' .$player->level'</td>';
                echo 
'<td>' .$player->vocation'</td>';
                echo 
'</tr>';
                
            }
            
            echo 
'</table>';
            
        }
        
        else {
            
            echo 
'<h1>Players:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($pResult). ' results.</div><br />';
            
        }
        
        if (
mysql_num_rows($gResult) != 0) {
            
            echo 
'<h1>Guilds:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($gResult). ' results.</div><br />';
            echo 
'<table><tr>';
            echo 
'<td>Result</td>';
            echo 
'<td>Name</td>';
            echo 
'<td>Owner</td></tr>';
            
            for (
$i 1$guild mysql_fetch_object($gResult); $i++) {
                
                
$system->player->load($guild->ownerid);
                
$name $system->player->getName();
                
                echo 
'<tr>';
                echo 
'<td>' .$i'</td>';
                echo 
'<td>' .$guild->name'</td>';
                echo 
'<td>' .$name'</td>';
                echo 
'</tr>';
                
            }
            
            echo 
'</table>';
            
        }
        
        else {
            
            echo 
'<h1>Guilds:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($pResult). ' results.</div><br />';
            
        }
        
    }
    
    else {
        
        echo 
"<strong>Search again?</strong>";
        
    } 
    
?>
However, it gives me this error msg:

Quote:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\wamp\www\DB Class\search.php on line 33
Players:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\wamp\www\DB Class\search.php on line 61
Found results.


Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\wamp\www\DB Class\search.php on line 65
Guilds:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\wamp\www\DB Class\search.php on line 94
Found results.
Tanax is offline  
Reply With Quote
Old 10-06-2007, 03:20 PM   #6 (permalink)
The Reckoner
Advanced Programmer Top Contributor 
 
Karl's Avatar
 
Join Date: Sep 2007
Posts: 436
Thanks: 22
Karl is on a distinguished road
Default

After a quick look through (literally 2 mins) I would guess that the error is coming from your mix of $pResult and $gResult, surely they are both supposed to be the same?

Another suggestion would be to take a look at Prototype JS it'll make things so much easier for you. With it, you could easily cut down your Ajax Search JavsScript file to a few lines of code split between a few functions.
Karl is offline  
Reply With Quote
Old 10-06-2007, 03:46 PM   #7 (permalink)
Moderateur
RegEx Guru PHP Guru Top Contributor Advanced Programmer 
 
Salathe's Avatar
 
Join Date: Apr 2007
Posts: 700
Thanks: 2
Salathe is on a distinguished road
Default

Your SELECT queries are not valid SQL since the values used in the LIKE statements are not delimited by quotation marks. Both queries have the same issue which needs to be fixed.

For example:
PHP Code:
// Wrong: SELECT * FROM table WHERE name LIKE search_term
$gSql sprintf("SELECT * FROM %s WHERE name LIKE %s",
// Right: SELECT * FROM table WHERE name LIKE 'search_term'
$gSql sprintf("SELECT * FROM %s WHERE name LIKE '%s' "
__________________
Salathe is offline  
Reply With Quote
Old 10-06-2007, 05:00 PM   #8 (permalink)
The Gregarious
Upcoming Programmer Inquisitive 
 
Join Date: Sep 2007
Posts: 652
Thanks: 82
Tanax is on a distinguished road
Default

Quote:
Originally Posted by Karl View Post
After a quick look through (literally 2 mins) I would guess that the error is coming from your mix of $pResult and $gResult, surely they are both supposed to be the same?

Another suggestion would be to take a look at Prototype JS it'll make things so much easier for you. With it, you could easily cut down your Ajax Search JavsScript file to a few lines of code split between a few functions.
Yea, but sorry, I don't know anything about Prototype JS ://

Quote:
Originally Posted by Salathe View Post
Your SELECT queries are not valid SQL since the values used in the LIKE statements are not delimited by quotation marks. Both queries have the same issue which needs to be fixed.

For example:
PHP Code:
// Wrong: SELECT * FROM table WHERE name LIKE search_term
$gSql sprintf("SELECT * FROM %s WHERE name LIKE %s",
// Right: SELECT * FROM table WHERE name LIKE 'search_term'
$gSql sprintf("SELECT * FROM %s WHERE name LIKE '%s' "
Thanks! I got it to work now without any PHP errors.
However, I got this:

Quote:
Players:
Found 1 results.

Result Name Level Vocation Profile
1

Account Manager

1

0

Link



Guilds:
Found 1 results.
As you see, it finds 1 result from the players, and it prints the result in a table. But it also finds a result from the guilds, but it doesn't print it :S

And this is only got to do with the PHP script, so here it is:
PHP Code:
<?php

/**
||||||||||||||||||||||||||||||||||||||||||
|||| @author Tanax
|||| @copyright 2007
||||||||||||||||||||||||||||||||||||||||||
**/

    
include('config.php');
    
$get $_GET["keyword"];
    
    if (isset(
$get) && $get != "") {
        
        
// Make the searchvalue safe from injections
        
$search urldecode($get);        
        
$search $system->db->makesafe($search);
        
        
        
// Search for players
        
$pSql sprintf("SELECT * FROM %s WHERE name LIKE '%s' OR level LIKE '%s' OR vocation LIKE '%s'",
        
$table['players'],
        
'%'.$search.'%',
        
'%'.$search.'%',
        
'%'.$search.'%');    
        
$pResult $system->db->query($pSql);
        
        
// Search for guilds
        
$gSql sprintf("SELECT * FROM %s WHERE name LIKE '%s'"
        
$table['guilds'],
        
'%'.$search.'%');
        
$gResult $system->db->query($gSql);
        
        
// Check if the player search returned any results
        
if (mysql_num_rows($pResult) != 0) {
            
            
// Echoes the table
            
echo '<h1>Players:</h1>';
            echo 
'<div id="smalltext">Found ' .mysql_num_rows($pResult). ' results.</div><br />';
            echo 
'<table border="1" width="500"><tr>';
            echo 
'<th>Result</th>';
            echo 
'<th>Name</th>';
            echo 
'<th>Level</th>';
            echo 
'<th>Vocation</th>';
            echo 
'<th>Profile</th></tr>';
            
            for (
$i 1$player mysql_fetch_object($pResult); $i++) {
                
                echo 
'<tr>';
                echo 
'<td><center>' .$i'</center></td>';
                echo 
'<td><center>' .$player->name'</center></td>';
                echo 
'<td><center>' .$player->level'</center></td>';
                echo 
'<td><center>' .$player->vocation'</center></td>';
                echo 
'<td><center><a href="account.php?name=' .$player->name'">Link</a></center></td>';
                echo 
'</tr>';
                
            }
            
            echo 
'</table>';
            
        }
        
        else {
            
            echo 
'<h1>Players:</h1>'