Search function works on localhost but not on server_问答_开发者

I am trying to add a search function to my website. Right now it's very rudimentary, and the search is simply pulling results from MySQL using select. The problem is, the search works great when I test it on localhost but doesn't work at all when I put it on the server. When it is used it simply selects the entire database. I believe the problem is that the variable isn't getting passed to the search results page, but I don't know.

Here's the code for the search box. It is in a referenced file called "header.php":

<html>
<head>

<body>
<div class="title"><img style="width:100%;" src="title.gif" /></div>
<div class="search">Search: 
<form style="display:inline" name="search" action="search.php" method="get"><?php echo"         <input type='text' name='query' />";?>
<a href="javascript: searchSubmit()"><img src="seo.png" alt="Search" title="Search" />   </a></form></div>
<ul class="menu">
<li><a href="index.php#home">home</a></li>
<li><a href="submit.php?title=&desc=">post an idea</a></li>
<li><a href="#about">about us</a></li>
<li><a href="#contact">contact us</a></li>
<li><a href="login.php">log in</a></li>
</ul>

</body>
</html>

And here's the code from search.php:

<?php
$search=$_GET['query'];
$search=mysql_real_escape_string($search);
?>
<html>
<head>
<?php
echo "<title>Search: $search</title>";
?>
<link rel="stylesheet" type="text/css" href="mainstyle.css" />
<script type="text/javascript" src="validate.js"></script>
</head>
<body>
<div class="title"><img style="width:100%;" src="title.gif" /></div>
<div class="search">Search: 
<form style="display:inline" name="search" action="search.php" method="get"><?php echo"    <input type='text' name='query' value='$search'/>";?>
<a href="javascript: searchSubmit()"><img src="seo.png" alt="Search" title="Search" /></a></form></div>
<ul class="menu">
<li><a href="index.php#home">home</a></li>
<li><a href="submit.php?title=&desc=">post an idea</a></li>
<li><a href="#about">about us</a></li>
<li><a hre开发者_开发问答f="#contact">contact us</a></li>
<li><a href="login.php">log in</a></li>
</ul>
<?php

mysql_connect("localhost","root","root") or die(mysql_error());
mysql_select_db("date_ideas") or die(mysql_error());

$result=mysql_query("SELECT * FROM ideas WHERE title LIKE '%".$search."%' ORDER BY    post_date DESC");
echo "SELECT * FROM ideas WHERE title LIKE '%".$search."%' ORDER BY post_date DESC";

echo "<span id='none'>";
while($row = mysql_fetch_array($result))
{
$id=$row['id'];
echo "<h2 class='center'><a href='ideaview.php?id=$id' title='View ".$row['title']."     Description'>" . $row['title'] . "</a><br/>";
echo "<span class='date'>";
$date=$row['post_date'];
$time=time();

if (($time-$date)<120)
{
echo "Posted 1 minute ago";
}

else if (($time-$date)>120&&($time-$date)<3600)
{
$minutes=($time-$date)/60;
echo ("Posted " . round($minutes) . " minutes ago");
}
else if (($time-$date)>3600&&($time-$date)<7200)
{
echo "Posted 1 hour ago";
}
else if (($time-$date)<86400&&($time-$date)>7200)
{
$hours=($time-$date)/3600;
echo ("Posted " . round($hours) . " hours ago");
}
else if (($time-$date)<172800&&($time-$date)>86400)
{
echo "Posted 1 day ago";
}
else
{
echo ("Posted on " . date("m-d-y",$date));
}
echo "</span></h2>";
}
echo "</span>";
?>

<script type="text/javascript">
document.getElementById("none");
if (none.innerHTML == "")
{
none.innerHTML="<p class='center'>There are no ideas matching your search</p>";
}
</script>
</body>
</html>

Lastly, here's the code for the javascript used to submit the form:

var valid=true;

function validate(field, helptext, type, min, max, field1)
{
var x=field.value;
var text=document.getElementById(helptext);
if (x==null || x=="")
{
if (text!=null)
    {
    text.innerHTML="Please input "+field.id;
    }
valid=false;
}
else if (type=="length")
{
valLength(min,max,field,helptext);
}
else if (type=="email")
{
valEmail(field,helptext);
}
else if (type=="pass")
{
valPass(field, field1, helptext);
}
else
{
if (text!=null)
    {
    text.innerHTML="";
    }
valid=true;
}
}

function searchSubmit()
{
validate(search.query);
if (valid==true)
{
search.submit();
}
else
{
alert("Please enter a search term");
}
}

As I said, when I use it on my localhost on my computer, it works perfectly, returning only the rows where title matches the search. When I put it on the server, however, it returns all the rows in the table.

try to printout the query to see if it injects $search value correctly (if search is not null)

echo "SELECT * FROM ideas WHERE title LIKE '%".$search."%' ORDER BY post_date DESC";

I can't see anything in the code given that would cause this. I think your analysis is correct; I'd imagine $_GET['query'] is empty for some reason.

You could make your code a little more robust by doing an explicit check for this: you want that to be an error case, not "return everything" case. But besides confirming your theory, this won't solve the problem outright.

The only thing I can think of is to make sure that $_GET exists on your server; it was introduced in PHP 4.1.0, which is now a very long time ago. Still, it's possible that the PHP on your remote server is ancient.

Good luck!

Update

You're using mysql_real_escape_string, which requires a connection, before you make the connection. If there isn't one, one is attempted using default parameters which is working on your local machine, but not on your [presumably more secure] production server.

This is causing the escaping to fail, and FALSE to be written into $query.

Just use mysql_escape_string which doesn't require a connection.