1
<h2>Search</h2> 
 <form name="search" method="post" action="<?php $_SERVER['PHP_SELF']; ?>">
 Seach for: <input type="text" name="find" /> in 
 <Select NAME="field">
 <Option VALUE="fname">First Name</option>
 <Option VALUE="lname">Last Name</option>
 <Option VALUE="info">Profile</option>
 </Select>
 <input type="hidden" name="searching" value="yes" />
 <input type="submit" name="search" value="Search" />
 </form>
  <?php 
 //This is only displayed if they have submitted the form 

 if ($_REQUEST[searching] =="yes") 
 { 
 echo "<h2>Results</h2><p>"; 

 //If they did not enter a search term we give them an error 
 if ($_REQUEST[find] == "") 
 { 
 echo "<p>You forgot to enter a search term"; 
 exit; 
 } 

 // Otherwise we connect to our Database 
 mysql_connect("localhost", "admin", "password") or die(mysql_error()); 
 mysql_select_db("oop") or die(mysql_error()); 

 // We preform a bit of filtering 
 $find = strtoupper($_REQUEST[find]); 
 $find = strip_tags($find); 
 $find = trim ($find); 

 //Now we search for our search term, in the field the user specified 
 $data = mysql_query("SELECT * FROM users WHERE upper($_REQUEST[field]) LIKE'%$find%'"); 

 //And we display the results 
 while($result = mysql_fetch_array( $data )) 
 { 
 echo $result['fname']; 
 echo " "; 
 echo $result['lname']; 
 echo "<br>"; 
 echo $result['info']; 
 echo "<br>"; 
 echo "<br>"; 
 } 

 //This counts the number or results - and if there wasn't any it gives them a little message explaining that 
 $anymatches=mysql_num_rows($data); 
 if ($anymatches == 0) 
 { 
 echo "Sorry, but we can not find an entry to match your query<br><br>"; 
 } 

 //And we remind them what they searched for 
 echo "<b>Searched For:</b> " .$find; 
 } 
 ?>

Question:

The front end shows:

Notice: Use of undefined constant searching - assumed 'searching' in D:\wamp\www\oop\test2.php on line 15

I know something wrong with posting the form values, such as 'searching'...but i do now know how to correct/change. so anyone can help me to correct it?

Thanks.

user2294256
  • 1,029
  • 1
  • 13
  • 22
  • You are probably just learning, but here is a good tip for your code and how it can is prone to [mysql injection](http://stackoverflow.com/questions/8340915/php-mysql-injection-example) – i-- May 17 '13 at 03:24
  • If you're doing a POST, get your data from `$_POST`, not `$_REQUEST`. – Ja͢ck May 17 '13 at 04:23
  • Also, escape your data properly; you should also use prepared statements, but that will only solve half of the problems. – Ja͢ck May 17 '13 at 04:25

4 Answers4

1

In line #15,

if ($_REQUEST[searching] =="yes")

"search" should be quoted:

if ($_REQUEST['searching'] =="yes")

This also applies to other lines where you check the request param.

golddc
  • 468
  • 3
  • 12
  • I changed it, but it still shows: Notice: Undefined index: searching in D:\wamp\www\oop\test2.php on line 15: – user2294256 May 17 '13 at 03:02
  • See, the message is now different. You also have to check whether the param exists in $_REQUEST by using isset function. – golddc May 17 '13 at 03:13
  • i tried: var_dump(isset($_REQUEST['searching'])); and it shows: boolean false, so what is this problem? how to correct it? – user2294256 May 17 '13 at 03:24
  • Could be caused by PHP settings in php.ini. Check this variable in php.ini: variables_order , and see what value it has. If "P" isn't in it, the script will complain because POST data will not be put into REQUEST. – golddc May 17 '13 at 03:36
  • it is: ; variables_order ; Default Value: "EGPCS" ; Development Value: "GPCS" ; Production Value: "GPCS" – user2294256 May 17 '13 at 03:42
  • The leading semicolon means it's commented out. You need to find the line without the semicolon at the beginning. For example on my local ENV I have variables_order = "GPCS" – golddc May 17 '13 at 03:46
  • got it, it is variables_order = "GPCS" – user2294256 May 17 '13 at 03:54
  • If it's set to GPCS and it still doesn't work, I don't know why it's so either... Personally I would dump the $_REQUEST to see what's inside, and if it doesn't work I have to use $_POST or $_GET. But I'm curious about what's in $_REQUEST so if you could post it here I'd be very thankful. – golddc May 17 '13 at 04:38
1

You are not specifying the associative array index as a string. It should be $_REQUEST['searching'] instead of $_REQUEST[searching] same with $_REQUEST[find] later on

Adam Bell
  • 121
  • 2
1

Replacee 

if ($_REQUEST[searching] =="yes")

to

if (isset($_REQUEST['searching']) && $_REQUEST['searching'] =="yes")
Amit Garg
  • 3,867
  • 1
  • 27
  • 37
0

$_REQUEST[searching] should be $_REQUEST['searching']. Also, what's $_REQUEST[find]? (it should have quotes around 'find' too). And... why $_REQUEST? Be specific, and use $_POST (e.g. $_POST['searching']).

And... please, please, please (at the very least) use mysql_real_escape_string() around your query parameters. See: http://php.net/manual/en/function.mysql-real-escape-string.php

e.g.

$data = mysql_query("SELECT * FROM users 
  WHERE mysql_real_escape_string(upper($_POST['field']))
  LIKE'%mysql_real_escape_string($_POST['find'])%'");

Really, the better way to query MySQL would be to use PHP Data Objects and bind your values for added security: http://php.net/manual/en/book.pdo.php

<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->bindValue(':calories', $calories, PDO::PARAM_INT);
$sth->bindValue(':colour', $colour, PDO::PARAM_STR);
$sth->execute();
?>

There's more to this. You'll need to read up on connecting and such... which is outside of the scope of this answer.

Gor
  • 505
  • 1
  • 6
  • 18
  • Sorry, I should have said use `mysqli_real_escape_string()` as the `mysql_real_escape_string ` extension is deprecated as of PHP 5.5.0. (I'm using PDO these days, so I missed that one :) – Gor May 17 '13 at 03:21