iftimahmud / anywhereindb Goto Github PK

The script provides no proper handling of search strings sent directly to the 
database. If you do not run with magic_quotes on, a search string like

" UNION SELECT password FROM mysql.user; -- 

leaves you open to sql injection attacks.

The test for fields to search checks only if the first 7 characters include 
'varchar' or 'text'. That means the following types will not be searched:

char
longtext
mediumtext
tinytext

Change this line:

if(substr($collum[$j]['Type'],0,7)=='varchar'|| 
substr($collum[$j]['Type'],0,7)=='text')

to at least:

if(substr($collum[$j]['Type'],0,7)=='char'|| 
substr($collum[$j]['Type'],0,10)=='text')

You may also consider the binary, varbinary, and blob types too.

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in 
C:\xampp\htdocs\anywhereindb.php on line 163

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

What steps will reproduce the problem?
1. it's not responding whit persian language result
2.
3.

What is the expected output? What do you see instead?
when i search persian words 
the input is ?????????


What version of the product are you using? On what operating system?


Please provide any additional information below.

this my web page  
http://saderzamin.ir/anywhereindb.php
 please search a persian words . like مهدی
how i can show the persian result ??

It's a great tool! But, I found out that it can not search text fields in 
db. I looked at the code and saw that in the condition 

if(substr($collum[$j]['Type'],0,7)=='varchar'|| substr($collum[$j]
['Type'],0,7)=='test')

if I change the 'test' to 'text', then it works all fine. This is probably 
a typo from you, right?  :-)

Running a search that returns no result. You will see the 
message "undefined variable data ..." 
followed by "sorry, xxx is not found in database. .."

I found that it was caused by the fetch_array function. I changed the code 
a bit, adding a check condition to see if $data is declared, if not, 
return 0. And I also changed the check condition at line 173 to

if($search_result != 0)

and it worked. Hopefully it helps. :-)

What steps will reproduce the problem?
1. Search anything which yields a result

Expected to see the results on page. But results area remains blank. In 
Firebug>Console I can see the results. Firebug also gives an error message: 
text=null

Using V0.33 on Win7 64b Firefox 12 or Chrome 18.0.1025.168 m

The query builds the search string with double-quotes. If the server is running 
with ansi_quotes in the SQL mode, this will result in an error. Use single 
quotes instead:

$search_sql .= '`'.$collum[$j]['Field'] .'` like "%'.$search_text.'%" ';

should be

$search_sql .= '`'.$collum[$j]['Field'] .'` like \'%'.$search_text.'%\' ';

The search doesn't output anything.

Using: anywhereindb_0_33 on Windows 7 with any Chrome and Mozilla.

Please provide any additional information below.

Firebug shows:
TypeError: text is null
text = text.replace(/>/g,"&gt;").replace(/</g,"&lt;").replace(search_text_d, 
"<s...


Solution:
surround line 590 (in the text_processing function) a check for a valid text, 
i.e.:
if ( text && 0 < text.length ) {
   text = text.replace(/>/g,"&gt;").replace(/</g,"&lt;").replace(search_text_d, "<span class=hg>\$1</span>");
}


There's also another typo at line 463, with consequences:
   <form id=search action="<?php echo $_SERVER['PHP_SELF'];?>" method=POST>
should read:
   <form id=search action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST">

Cheers,
Marcello


I've attached the full working code. Thanks a lot for your work.

Line 172 - the word 'Toatl' should be 'Total'

This is a great tool. Thanks very much. Hope this contribution is useful!


What version of the product are you using? On what operating system?
Version 1.0.1

Fatal error: Call to undefined function: json_encode() in 
/home/content/m/e/e/meenusa641/html/hpi/db/search33.php on line 390

What steps will reproduce the problem?
1. Install (copy file)
2. Edit databse info in file (verified correct)
3. Open in broweser

What is the expected output? What do you see instead?
  Expecting search form.
Instead, these errors:
  - Notice: Undefined index: logout in C:\<mywebserverdir>\www\_util\anywhereindb_0_33.php on line 150

  - Notice: Undefined index: search_text in C:\<mywebserverdir>\www\_util\anywhereindb_0_33.php on line 150

  - Notice: Undefined index: server in C:\<mywebserverdir>\www\_util\anywhereindb_0_33.php on line 150

  - Notice: Undefined index: init in C:\<mywebserverdir>\www\_util\anywhereindb_0_33.php on line 150

What version of the product are you using? On what operating system?


This is a functioning WordPress database, and I am able to run a site and 
arbitrary SQL on it.

Windows 7
WAMP Server
Apache Version: 2.2.22  
PHP Version: 5.3.13  
MySQL Version: 5.5.24

The CSS for the .search_text class should contain display:inline so that the 
<pre> tag doesn't cause the found text to jump to the next line.

See attached images for examples of how it is now "display-block" and how it 
should be "display-inline".

Also attached is a patch file of the change, should you wish to apply it.

I modified the original code to work with the php_sqlsrv.dll. Use it if you 
want to.

Your code helped me a lot Thanks,

Jerred Schmidt

thanx for the code, but it returns all the columns in table, how can i change 
the code to return columns which included keyword or some other specific 
columns?

The code selects every single row in the every single table in the database 
just to see if there are any rows, before building the query to see if there 
are any rows with a matching string. Performance will be awful with a database 
of any notable size.

The performance of querying an empty table will be much more tolerable than 
selecting every single row from the entire database.

Discard these lines:
                        //@abstract querry bliding of each table
                        $sql = 'select * from '.$tables[$i]['Tables_in_'.$dbname];
                        $res = mysql_query($sql);

                        if(mysql_affected_rows()>0)

If you absolutely have to check if there are rows first, look in the table 
status, or at least just SELECT COUNT(*) FROM table;

mysql_affected_rows() is the wrong function to use here anyway; the PHP manual 
says to use mysql_num_rows() after a SELECT statement. It does work in modern 
libraries, but you should not rely on non-documented behavior.

Hi,
it is a great tool, thanks for developing and sharing it. We tried to use
it to search for spam user registration/postings on our web-site, and,
indeed found some users with abusing content in theirs profiles. 

When script shows the content frome those fields where it does fount
matching with search keyword, it just put the  value of this field into the
results table. And if the search result contains some HTML mark up it
brakes page layout. It is probably would be great to have an option to
clean all the html formatting from the field value before putting it into
script's output table.

Thanks