xkcd

[Chris Dude70]

Hello,

Im trying to use PHP to search a SQL database but I keep getting error 403.


This is what I have:

Code: Select all

<form name="search" method="post" action="<?=$PHP_SELF?>">
    Seach for: <input type="text" name="find" /> in
            <Select NAME="field">
                <Option VALUE="fname">Name</option>
                <Option VALUE="lname">Cost</option>
            </Select>
<input type="hidden" name="searching" value="yes" />
<input type="submit" name="search" value="Search" />
</form>
            <br /></p>
<?php
 //This is only displayed if they have submitted the form
if(isset($_POST['searching']))
 
 {
 echo "<h2>Results</h2><p>";
 
 //If they did not enter a search term we give them an error
 if ($find == "")
 {
 echo "<p>You forgot to enter a search term";
 exit;
 }
 
 // Otherwise we connect to our Database
 mysql_connect("10.1.1.6", "rootboss", "password") or die(mysql_error());
 mysql_select_db("store_ordovictus") or die(mysql_error());
 
 // We preform a bit of filtering
 $find = strtoupper($find);
 $find = strip_tags($find);
 $find = trim ($find);
 
 //Now we search for our search term, in the field the user specified
 $data = mysql_query("SELECT * FROM menu WHERE upper($field) LIKE'%$find%'");
 
 //And we display the results
 while($result = mysql_fetch_array( $data ))
 {
 echo $result['Name'];
 echo " ";
 echo $result['Desctription'];
 echo "<br>";
 echo $result['Cost'];
 echo "<br>";
 echo "<br>";
 }
 
 //This counts the number or results - and if there wasn't any it gives them a little message explaining that
 $anymatches=mysql_num_rows($data);
 if ($anymatches == 0)
 {
 echo "Sorry, but we can not find an entry to match your query<br><br>";
 }
 
 //And we remind them what they searched for
 echo "<b>Searched For:</b> " .$find;
 }
 ?>          


If anyone could tell me what im doing wrong, please let me know.

[BotoBoto]

whats the output you're getting?

[mfb]

403: Do you get the same error without your code? I do not think this is a php-problem. But if it is, you can search where it comes from.

Other things:
If you want to use this, you should be aware of (and fix!) the security problems in your code.
Where do $find and $field come from? "register globals" is problematic, too.

[naschilling]

Let's assume Register Globals is off (as it should be), that means that <?=$PHP_SELF?> doesn't have the correct address in it either, so your form goes nowhere.

Stylistically, you should separate the processing of your code from the actual layout of your code as much as possible. In this case, that would mean place your database lookup and output in a separate file and join them using includes or requires.

[coyotebush]

As mfb noted, the biggest issue with the code is its vulnerability to SQL injection attacks. mysql_real_escape_string is your friend here.

But 403 ("Forbidden") sounds like an issue of permissions. Does an HTML file in the same directory work? Is the PHP file executable (by the web server user)?

[phlip]

403 errors come from the web server proper, not PHP (unless you specifically code them into your script, with header("HTTP/1.1 403 Forbidden"); or suchlike). The usual reason is that the webserver doesn't have filesystem-level permissions to read the file... make sure it's chmod-ed so that the server can read it. Noting that the server is probably running as a different user to you, so you're going to want to chmod it at least 644. Or 755 if the server is set up to require the execute bit (though that's uncommon). Or, if you're running on Windows, Right click->Properties->Security, make sure the server (which is probably running as NETWORK SERVICE, or you could just grant to All Users) has Read/Execute permissions.

But yeah, you also want to clean up your SQL injections and turn off register_globals.

[bittyx]

Just to add a bit of info - escaping strings for db input is the "old-fashioned" way of solving injection vulnerabilities - today, best practice is to use prepared statements, which work differently and don't require escaping. This obviously depends on the database capabilities, but most popular DBMSs support them, and some even get an awesome boost in performance by caching the prepared statements.

Also, use PDO instead of mysql (which is the old driver, and is likely to be deprecated in a future PHP version), or mysqli (which has an awful interface). PDO is a db abstraction layer, so if you ever decide to, say, switch databases, you can do it with a minimal amount of code rewriting. Lastly, consider using an [H]MVC approach to web programming, since it's orders of magnitude easier to read nicely written and separated code. For starters, you could try some frameworks to get a feel of what it's like, and why this is better than just putting everything into a single file.