PHP help. The <?=$variable?> shortcut isn't working

Factual Questions
1

If I put this in the code…

<?php

$variable = 20;

?>

The value of variable is: <?=$variable?>

And then look at the source in the brower. It should look like…

“The value of variable is: 20”
but it actually looks like…

“The value of variable is : <?=$variable?>”
what am I doing wrong?

To give you the real-world example. I have this in the php code…

<form method=“post” action="<?=$_SERVER[‘PHP_SELF’]?>">

and it’s doing this in the final html…

<form method=“post” action="<?=$_SERVER[‘PHP_SELF’]?>">

2

Figured it out. I turned on the ‘short open tag’ php setting.

3

Also. My PHP book is imperfect. Not only does it not mention that the shortcut won’t work unless ‘short open tag’ option is on, but it also has an example which triggers notice errors…

wrong - if ($_POST[‘submit’])

right - if (isset($_POST[‘submit’]))

Point being: Google and the internet are better than books for learning. You were right ZipperJJ

4

I am having a similar problem.

I am trying to learn the combo of PHP and MySQL. A successful PHP file with a hard-wired search query works fine when loaded in the browser:

$result = mysql_query (‘select client.firstname, client.lastname, reoptxfr.casetype, reoptxfr.datefield, reoptxfr.closedon from client, reoptxfr WHERE client.assignedworkerslastname = ‘hunter, allan’ and client.statusofcase = ‘1 Active Case’ and client.clientid = reoptxfr.clientid order by client.lastname, client.firstname, reoptxfr.sequencenumber’);

… but the current short-term goal is to start off with a page in which the user would TYPE IN the case worker’s last name and click the submit button which would POST that input from the input form and then have the PHP page pick up on the value passed to it and incorporate it into the query.

Well, this doesn’t work. (It should give you a fairly concrete notion of what I’m trying to do, though…

[noparse]
input = _POST [‘msg’];

$result = mysql_query (‘select client.firstname, client.lastname, reoptxfr.casetype, reoptxfr.datefield, reoptxfr.closedon from client, reoptxfr WHERE client.assignedworkerslastname = $input and client.statusofcase = ‘1 Active Case’ and client.clientid = reoptxfr.clientid order by client.lastname, client.firstname, reoptxfr.sequencenumber’);[/noparse]

The “submit form” is a very simple bit of HTML:

[noparse]
<html>
<head></head>
<body>
<form action=“nextsqlphp.php” method=“post”>
Enter your message: <input type=“text” name=“msg” size=“30”>
<input type=“submit” value=“Send”>
</form>
</body>
</html>
[/noparse]

Anyone know how to pass a param from an initial web page screen to the PHP on the next so that the target page’s PHP will use the value handed off to it in a search query?

5

Inserting the $input directly into the string doesn’t seem to work with single quote strings.

try changing your single quotes to double quotes. Remember to change your ‘1 Active Case’ line to ‘1 Active Case’ (which will be ok if using double quote strings.

From one learner to another :slight_smile:

6

Alternatively, change this bit -

…client.assignedworkerslastname = $input and…

to

*…client.assignedworkerslastname =’ . $input . 'and… *

ETA: Your actual posting of the variable seems to be fine. It’s the inserting of it into your sql query string that was wrong.

7

Using double-quotes should make it work, but you really shouldn’t do this – it makes your code vulnerable to SQL injection. Anybody could enter something on your form like “; DROP TABLE Allyourimportantstuff;” and wreak havoc.

The proper way to do dynamic queries is to use placeholder variables (not sure how this is done in PHP though. With Perl DBI you use a ? and a separate statement to bind the placeholders to variables.)

8

ETA: This reply posted before I saw friedo’s post…
And one more… If you’re learning about sql/php then I advide you to google ‘sql injection’.

I am just as guilty of writing vulnerable code, but now I know that when inserting variables directly into your sql you have a vulnerability.

If someone entered bob’;drop table client; as a name then your table would be deleted.

ETA: SQL injection - Wikipedia
ETA: Another imperfection of the book - teaching bad practices. (naughty book!)

9

I think you want something like this:


<?php
   $variable = 20;
?>

The value of variable is: <?php echo $variable; ?>

Alternatively (and my preference), you don’t even have to leave the php block and can spit the whole thing out inside php:


<?php
   $variable = 20;
   
   echo "The value of variable is: $variable";
?>
10 
<?= $variable ?>

After looking into it a bit more, what you are trying to do isn’t necessarily incorrect. (Maybe it needs a white space around the variable? I’ve never used that tag format. )

For it to work it is dependant upon the php config setting short_open_tag which must be set to true. This won’t always be the case from one php config to the next.

11

Yeah I figured that out (see post #2). I know I can do it in the two other styles, but I wanted the <?=$variable?> style to work, as it could make for ‘better’ code.

12

Your first example has ‘hunter, allan’ and your second just has $input (no quotes). If your variable has spaces and commas, etc, then your query will fail.

$input should be ‘$input’

BTW, MySQL is case insensitive, but should you migrate to a different database it might be case sensitive, so watch out how you’re matching your variables.

One last suggestion to debug is to make your query a string, then echo the query. That will tell you exactly what data has been used to construct the query.

e.g.

[noparse]
input = _POST [‘msg’];

$sql = ‘select client.firstname, client.lastname, reoptxfr.casetype, reoptxfr.datefield, reoptxfr.closedon from client, reoptxfr WHERE client.assignedworkerslastname = $input and client.statusofcase = ‘1 Active Case’ and client.clientid = reoptxfr.clientid order by client.lastname, client.firstname, reoptxfr.sequencenumber’;
echo $sql;
[/noparse]

13

14

Even if your page will never be seen by ne’er-do-wells who exploit SQL Injection, there is a more fundamental problem with using SQL statements that are pieced together with values:

Guess what happens when you search on the name O’Brian

In short, you have to be careful to escape all single quotes in values that are passed in.

Better off using bind variables (I know nothing about PHP, but I’m certain that bind variables must be supported).

15

This is your O’Brain

This is your O’Brain on PHP…

OK folks (both here and backchannel, THANKS!!), I have suggestions to try as soon as I have opportunity. I will report back .

16

17

Yup. At the very least do a replace to make ’ turn into ’ and \ into \ to avoid basic SQL injection. The better plan is to make it a stored procedure and use a parameterized query, assuming the MySQL people have bothered to implement procedures and the PHP people have bothered to implement parameterized queries. I think MySQL may have finally gotten around to acting like a real database. Can’t say re: PHP.

18

mysql_real_escape_string()

Edit: The mysqli extension supports parameterized queries through prepare.

19

Looking into those. It seems like a lot of faffing about to generate a string for a query. And you can’t test your code with those functions without making real connections to the db.

Isn’t there a more basic way? Something you can just work on a string with such as…


<?php

$badinput = $_POST['name'];

$goodinput = sanitize($badinput);

$sqlquery = "select * from table where name = '" . $goodinput . "'";

?>
20

http://us.php.net/manual/en/function.addslashes.php
Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).

So $goodinput = addslashes($badinput); or even goodinput = addslashes(_POST[“name”]);