为什么我的php脚本不会返回结果？

Question

请在我的网站上查看这个模拟搜索:

链接已过期

搜索没有返回任何结果,也没有显示错误消息,为什么会这样？

我已经取出了我的人员信息,即.主机/用户名/密码

HTML:
  <h2>Search</h2> 
  <form name="search" method="post" action="<?=$PHP_SELF?>">
  Seach for: <input type="text" name="find" /> in 
  <Select NAME="field">
  <Option VALUE="fname">First Name</option>
  <Option VALUE="lname">Last Name</option>
  <Option VALUE="info">Profile</option>
  </Select>
  <input type="hidden" name="searching" value="yes" />
  <input type="submit" name="search" value="Search" />
  </form>

PHP:

<?php
//This is only displayed if they have submitted the form 
if ($searching =="yes") 
{ 
echo "<h2>Results</h2><p>"; 

//If they did not enter a search term we give them an error 
if ($find == "") 
{ 
echo "<p>You forgot to enter a search term"; 
exit; 
} 

// Otherwise we connect to our Database 
mysql_connect("MYHOST", "MYUSERNAME", "MYPASSWORD") or die(mysql_error()); 
mysql_select_db("MYDATABSENAME") or die(mysql_error()); 

// We preform a bit of filtering 
$find = strtoupper($find); 
$find = strip_tags($find); 
$find = trim ($find); 

//Now we search for our search term, in the field the user specified 
$data = mysql_query("SELECT * FROM users WHERE upper($field) LIKE'%$find%'"); 

//And we display the results 
while($result = mysql_fetch_array( $data )) 
{ 
echo $result['fname']; 
echo " "; 
echo $result['lname']; 
echo "<br>"; 
echo $result['info']; 
echo "<br>"; 
echo "<br>"; 
} 

//This counts the number or results - and if there wasn't any it gives
them a little    message explaining that 
$anymatches=mysql_num_rows($data); 
if ($anymatches == 0) 
{ 
echo "Sorry, but we can not find an entry to match your query<br><br>"; 
} 

//And we remind them what they searched for 
echo "<b>Searched For:</b> " .$find; 
} 
?> 

谢谢!

Jmames

Answer 1

你假设服务器正在使用register_globals,这是一个可怕的可怕的事情.你应该做一些if ($_POST['searching'] =="yes")相反的事情.这也是为什么没有任何反应的原因.

该文件说,

自PHP 5.3.0起,此功能已被弃用.非常不鼓励依赖此功能.

您的代码也非常容易受到SQL注入攻击,您可以使用mysql_real_escape_string修复它.

您的查询应如下所示

$data = mysql_query("SELECT * FROM users WHERE upper(".mysql_real_escape_string($field).") LIKE'%".mysql_real_escape_string($find)."%'");