• Choose a category
• All
• Classic-Fiction

foreach ($row as $name => $value){

print “ $value \n“;

} // end foreach

$count++;

print “ \n“;

} // end while loop

print “ \n“;

} // end printResults

?>

Breaking the code into functions

This code is complex enough to deserve functions. The program has two main jobs, so it’s not surprising that a function is designated to perform each major task. Here’s the main section of the PHP code:

$sql = processInput();

printResults($sql);

This code fragment nicely summarizes the entire program (as well-designed main code ought to do). Here’s the overview:

1. Designate a variable called $sql to hold a query.

The central data for this program is the SQL query.

2. Create the query with processInput().

The job of processInput() is to get the data from the search.html form and create a safe, properly formatted query, which will be passed to the $sql variable.

3. Process the query with the printResults() function.

This function will process the query and format the output as an XHTML table.

Processing the input

The processInput() function does just what it says — processes input:

function processInput(){

//extract information from previous form and build a safe query

$srchVal = $_POST[“srchVal”];

$srchField = $_POST[“srchField”];

$conn = mysql_connect(“localhost”, “user”, “password”);

$srchVal = mysql_real_escape_string($srchVal, $conn);

$srchField = mysql_real_escape_string($srchField, $conn);

$sql = “SELECT * FROM contact WHERE $srchField LIKE ‘%$srchVal%’”;

return $sql;

} // end processInput

It works by doing several small but important tasks:

1. Retrieve values from the form.

The key values for this program are $srchVal and $srchField. They both come from the previous form. Note that I use $_POST rather than $_REQUEST: post requests are mildly harder to hack than get, and I really don’t want anybody spamming my database:

$srchVal = $_POST[“srchVal”];

$srchField = $_POST[“srchField”];

2. Filter each field with mysql_real_escape_string().

You never want to use input from a form without passing it through a security check. It’s quite easy for a bad guy to post additional text in the query that could cause you a lot of headaches. This bit of nastiness is commonly called a SQL injection attack. Fortunately, PHP provides a very useful function for preventing this sort of malice. The mysql_real_escape_string() function processes a string and strips out any potentially dangerous characters, effectively minimizing the risks of SQL injection ickiness. The second parameter of mysql_real_escape_string() is the name of the data connection, so I make a connection and pass it as a parameter:

$conn = mysql_connect(“localhost”, “xfd”, “xfdaio”);

$srchVal = mysql_real_escape_string($srchVal, $conn);

$srchField = mysql_real_escape_string($srchField, $conn);

For more on database security and preventing SQL injection attacks, a good place to start is this document in the PHP online manual:

http://us3.php.net/manual/en/security.database.sql-injection.php

3. Embed the cleaned-up strings in the $sql variable.

Now, you can build the query comfortably. Note that a LIKE clause is more likely to provide the kinds of results your user is expecting. Also, don’t forget that SQL often requires single quotes (see Book VI, Chapter 2 for more on building LIKE clauses):

$sql = “SELECT * FROM contact WHERE $srchField LIKE ‘%$srchVal%’”;

4. Return the final $sql variable.

The query is now ready to be sent back to the main code segment, which will pass it on to the next function:

return $sql;

Generating the output

Now that query is complete, the job of printResults() is quite easy. The following code is really just a copy of the contactTable.php code packaged into a function:

function printResults($sql){

$conn = mysql_connect(“localhost”, “user”, “password”);

mysql_select_db(“xfd”);

$result = mysql_query($sql, $conn);

print “ \n”;

//get field names

Return Main Page Previous Page Next Page

®Online Book Reader