September 28, 2012

Difference between typing and pasteing in a field

Question by Ferenc Dajka

If I use xss, what’s the difference between typing in ALERT(‘DSSA’);, or just paste it to a search textfield? In a site, typing works, and makes the alert, but if I just paste it, than it doesn’t. To prevent the question, I don’t want to hack any site, I’m just interested in network security.

thanks for the answer

Answer by Starx

I may not have understood the question properly.

Typing triggers keyUp, keyDown and keyPress events on the element. If the codes are programmed to capture them only, then only those events will be captured.

Pasting can be done using keyboards, mouse and browser options. So this depends on which events you are listening too. There is a separate event called onpaste which will ease everything.

What I mean is, lets say my code is written to capture the pasting my pressing “Ctrl” + “v” only, but if mouse and browser options are used to paste on the
element, then it is configured to capture mouse events also, it cannot
be captured.

April 30, 2012

Binary Search Trees, how do you find maximum?

Question by Rachel Moss

I’ve been working with Binary Search Trees in my spare time, and I want to be able to delete nodes from a tree.

In order to get this to work, I need to find the maximum value. How do you go about doing that? Pseudo-code or hints would be appreciated. I’m stuck and not exactly sure how to even begin this.

Answer by Starx

A simple pseudocode would be this. It it is indepandant to binary search I think.

int maxi = 0
foreach(array as item) // or any other loop
    if item>maxi then maxi = item
April 25, 2012

Seach.php is not working and not showing any results

Question by Erik

I’m trying to figue out how to make my search.php script work with mySQL. I can’t get the information to show up. Not sure where the problem is.

PAGE 1:

<form action="search_result.php" method="GET">
    <input type="text" name="reg" />
    <input type="submit" value="Search" />
</form>

PAGE 2:

<?php
$host="localhost";
$username="XXXXXXXXXXX";
$password="XXXXXXXXXXX";
$db_name="XXXXXXXXXXXX";
$tbl_name="reg_add";
mysql_connect("$host", "$username", "$password") or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");


$record = $_POST['record']; // if coming from e.g. a form
$result=mysql_query(" SELECT * FROM reg_add WHERE reg='" . mysql_real_escape_string($record) . "'");


$row = mysql_fetch_assoc($result);
$first_name = $row['first_name'];
$last_name = $row['last_name'];
$reg = $row['reg'];
?>

<input  name="reg" value="<? echo "$record" ?>">

<input  name="first_name" value="<? echo "$first_name" ?>">

<input  name="last_name" value="<? echo "$last_name" ?>">

Answer by Adriaan

You form is method GET and in your PHP you use this:

$record = $_POST['record']; // if coming from e.g. a form

How are you gonna get the POST[‘record’] if your form has the method GET?

I guess you should or change your form to:

method="POST" 

or change your $record in php to:

$record = $_GET['record'];

Try this version:

You form:

    <form action="search_result.php" method="POST">
    <input type="text" name="reg" id="reg" />
    <input type="submit" name="Submit" id="Submit" value="Search" />
</form>

search_result.php :

<?php

$host       ="localhost";
$username   ="XXXXXXXXXXX";
$password   ="XXXXXXXXXXX";
$db_name    ="XXXXXXXXXXXX";
$tbl_name   ="reg_add";

/* Connect to MySQL database */
mysql_connect("$host", "$username", "$password") or die("Error connecting to database");
mysql_select_db("$db_name")or die("Error selecting database");

$error = '';

if (isset($_POST['Submit'])) {


    if (!empty($_POST['reg'])) {

        $record = $_POST['reg']; // if coming from e.g. a form

        $query = mysql_query("SELECT * FROM reg_add WHERE reg='" . mysql_real_escape_string($record) . "'");
        $result = mysql_num_rows($query);

        if ($result != 0) {

            $row = mysql_fetch_array($query);

            $first_name = $row['first_name'];
            $last_name = $row['last_name'];
            $reg = $row['reg'];

        } else {

            $error = 'No result have been found!';

        }

    } else {

        $error = 'You have not entered the search field, <a href="javascript:history.back(1)">Go back</a>.';

    }
}

if (!empty($error)) { echo $error; } 
?>


<input  name="reg" value="<? echo $record; ?>">

<input  name="first_name" value="<? echo $first_name; ?>">

<input  name="last_name" value="<? echo $last_name; ?>">

Answer by Starx

Syntax of mysql_result() is wrong. According to the manual, it should be

string mysql_result ( resource $result , int $row [, mixed $field = 0 ] )

SO the correct way to use it would be like

mysql_result($result, 1, "first_name");
April 13, 2012

Wildcard for WHERE?

Question by Sam Clark

I want to setup code that does this: (* is wildcard)

SELECT * FROM * WHERE * CONTAINS '$search-query';

What MYSQL code can I use to acheive this.

Answer by Starx

There is a project called anywhereindb which can do what you want.


I am not going to create a full solution, its going to take a long time, but, I am going to create an example of what you would called

SELECT * From `tablename` WHERE * CONTAINS `$search_query`

First, lets extract the fields

$fields = array();
$query = "SELECT * FROM `yourtable` LIMIT 1;";
$result = mysql_query($query);
while ($i < mysql_num_fields($result)) {
    $info = mysql_fetch_field($result, $i);
    $fields[] = $info -> name;
}

Now prepare your query

$query = "SELECT * FROM `table` WHERE";
foreach($fields as $index => $field) {
    $fields[$index] = $field." CONTAINS '$search_query'"
}
$query .= implode(" and ", $fields);
//Finally query
$result = mysql_query($query);

php mysql search through 26 tables

Question by AisRuss

I’ve got this database with about 26 tables (field names are the same in each table) and i was wondering how simple it would be to do a general search on my website based on a keyword which will search through all tables?

Eg Each table has title, author etc etc so if i had a keyword of hairspray – whats the best way to look for the keyword through all tables..

Preferably not through a join or union due to the amount of tables

Cheers in advance

Answer by Starx

Its a very bad way, of creating tables.

If they share a common schema they should be one single table, with some additional field to separate or distinguish the data.

If this is not going to be an option for you, you might want to create a temporary table, which will hold all the data from all 26 tables, then query this table for the search.

July 13, 2011

Search functionality with pagination on a website

Question by acidpaul

I’m developing a search functionality with pagination in my site to search for the product name and the brand name. I’m using this query to get the user’s search request:

SELECT *
from products
WHERE name = 'optimum nutrition'
    OR brand = 'optimum nutrition' 
    OR name LIKE '%optimum%' 
    OR brand LIKE '%optimum%' 
    OR name LIKE '%nutrition%' 
    OR brand LIKE '%nutrition%'

I would like to display first the products that has the full ‘optimum nutrition’ in either the brand name and in the product name. How will I accomplish this?

Any suggestion would be greatly appreciated.

Answer by Shef

Try:

SELECT *, 
CASE WHEN (name = 'optimum nutrition' OR brand = 'optimum nutrition') THEN 1 ELSE 0 END AS full_match,
CASE WHEN (name LIKE '%optimum%' OR brand LIKE '%optimum%' OR name LIKE '%nutrition%' OR brand LIKE '%nutrition%') THEN 1 ELSE 0 END AS half_match
FROM products 
WHERE (name = 'optimum nutrition' OR brand = 'optimum nutrition')
OR (name LIKE '%optimum%' OR brand LIKE '%optimum%' OR name LIKE '%nutrition%' OR brand LIKE '%nutrition%')
ORDER BY full_match, half_match

Answer by Starx

I will suggest you look into
Zend Search Lucene, to put search functionality on your page.

May 18, 2010

How can I use a php array in a mysql search query?

Question by ThinkingInBits

I was going to use the scuttle solution on: http://www.pui.ch/phred/archives/2005/04/tags-database-schemas.html for handling searches on my website. I was wondering how I could take the search input from a user and turn it into a single query.

For instance, let’s say a user inputted ‘blue dogs’ in their search query… How could I dynamically update the query to include (‘blue’, ‘dogs’) in union and intersection queries?

Answer by Sarfraz

You can do like:

$search_string = implode(',', $search_array);

Now in your query you can use the IN clause:

$query = "select * from table where field IN ('".$search_string."')";

Answer by Starx

for example your user input is “blue dogs”, then on the page

$searchstring = "blue dogs"; // or fetch the input
$arr = explode(" ",$searchstring); //this is explode the text by every "space" character

you have the user inputed string in array $arr now, now use it in query like you usually do

...

Please fill the form - I will response as fast as I can!