Click here to Skip to main content
15,867,330 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
Hi all,

Developing a small time tracking application, I've been using comboboxes for too much things... I've just learned UI can use jquery to process text inputs with autocomplete...

That way everything is easier when you have plenty of data to filter.

This said, following samples in the Internet I've got it working fine... I have a text input that offers options to choose from once you start writing.

I have an auxiliar database interface file (database.php) where I have all the database functions, even the connect to database small script (getConn() that returns the pointer to the database connection).

In the main PHP file I have:
PHP
<script>
			$(function()
			{
				$("#edCustomer").autocomplete(
				{
					source: "autoCustomer.php"
				});
			});
		</script>


And in autoCustomer.php:
PHP
<?php
include('127.0.0.1/rt/database.php'
$DB = getConn();  // getConn is a function declared inside database.php...

	$term = $_GET['term'];
	$arr = array();

	$sql = "SELECT * FROM tCustomers WHERE name LIKE '%".$term."%' ORDER BY name ASC";
	$result = $DB->query($sql);

	if ($result != 0)
	{
		while ($row = $result->fetch_assoc())
		{
			array_push($arr, $row["name"]);
		}
		mysqli_free_result($result);

		echo json_encode($arr);
	}?>


If I insert the getConn function (function getConn(){and all the contents of the function}) into the autoCustomer.php file, it works perfectly, but when I try to use the getConn function from the remote file it fails returning a 500 (Internal server error) fail.

How can I include the database.php file in this autoCustomer.php?

I've tried:
PHP
include_once($_SERVER['DOCUMENT_ROOT'].'/globals.php');
include($rootpath.'/rt/database.php');

$rootpath is a variable that gets updated in globals.php.

Also, to simplify I've tried:
PHP
include('127.0.0.1/rt/database.php');


No luck in both cases...

Any idea?

What I have tried:

Tried to use different syntax for the include part... no luck with any.
Posted
Updated 1-Oct-19 9:00am
v6
Comments
Richard Deeming 1-Oct-19 11:29am    
$sql = "SELECT * FROM tCustomers WHERE name LIKE '%".$term."%' ORDER BY name ASC";

Don't do it like that!

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]
Joan M 1-Oct-19 14:09pm    
Thank you Richard!

Given what I've read in the links you've provided... simply using mysqli_real_escape_string should avoid that problem... Is that right?

Thank you again... I'm really having fun with this small project... :D nothing to do with the robots and machines I usually program... ^^
Richard Deeming 1-Oct-19 14:12pm    
That might deal with the obvious cases, but there can still be edge cases that would get through.

As the PHP document says, only use that as a fallback if you're working with a database that doesn't support parameters. MySQL certainly supports parameters, so you should use them. :)

PHP: Prepared statements and stored procedures - Manual[^]
Joan M 1-Oct-19 14:18pm    
OOOOOk! I can certainly tell I've learned lot's of things today...

Had not used a stored procedure since 1999! :D:D:D:D

Great to know... now I'll finish the application (I'm almost there) and once I have finished it I'll update all the queries to be safe.

THANKS!
Richard Deeming 1-Oct-19 14:20pm    
You don't have to use stored procedures to use parameters. :)

I would try require '127.0.0.1/rt/database.php';, provided '127.0.0.1' is a directory inside the file's current directory.
require will fail immediately if the file is not found.
require and include expect a filesystem path relative to the file's current directory, not a full path from the web root; maybe there is your issue.

Hope this helps.
 
Share this answer
 
Comments
Joan M 1-Oct-19 9:16am    
Tried it... no luck with that either...

Thank you for your prompt answer phil.o! :thumbsup:
phil.o 1-Oct-19 9:34am    
Have you tried a relative path from the file's current directory?
Joan M 1-Oct-19 9:36am    
Had not... now I have... and IT WORKED!

THANK YOU VERY MUCH!
phil.o 1-Oct-19 9:45am    
You're welcome!
PHP
$sql = "SELECT * FROM tCustomers WHERE name LIKE '%".$term."%' ORDER BY name ASC";

Not necessary a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900