Welcome to WebmasterWorld Guest from 3.93.74.227

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Website Search Box

Need help with PHP/Mysqli website search

     
3:36 pm on Mar 22, 2016 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 16, 2009
posts: 56
votes: 3


I want to put a search box on my site using php/mysqli, since others available through Google and the like, although they are free, have ads associated and they may be my competitors' ads.

The first issue is that I know I need to make certain that I am preventing sql injection, but do not know exactly where to place that code. The pages as they are now do function properly, however, in addition to looking in the color_name field for the searched term, I also need to look in desc, style_no, and style_desc fields for the searched term.

I have made numerous attempts to alter the code based on articles I found on line, but it has now been weeks with no success. I also made a failed attempt at using MATCH, as the fields referenced are set as "FULL TEXT" and the engine is MyISAM. I would appreciate any assistance I can receive in better understanding how to accomplish this goal.

Thank you all in advance.

Here is the form code:

<form action = 'search2.php' method = 'GET'>
<input type = 'text' size='90' name = 'search'></br></br>
<input type = 'submit' name = 'submit' value = 'Search'></br></br></br>
</form>


and here's the 'search2.php' page

<?php

$button = $_GET ['submit'];
$search = $_GET ['search'];

if(!$button )
echo "you didn't submit a keyword";
else {
if(strlen($search)<=1)
echo "Search term too short";
else {
echo "You searched for <b> $search </b> <hr size='1' > </br> ";
include('admin/misc.inc');$cxn = mysqli_connect($host,$user,$passwd,$dbname) or die ("couldn't connect to server" . mysqli_error());

$search_exploded = explode (" ", $search);

foreach($search_exploded as $search_each) {
$x++;
if($x==1)
$construct .="color_name LIKE '%$search_each%'";
else
$construct .="OR color_name LIKE '%$search_each%'";
}
$construct = "SELECT * FROM RMI_style WHERE $construct";
$run = mysqli_query($cxn, $construct );

$foundnum = mysqli_num_rows($run);

if ($foundnum==0)
echo "Sorry, there are no matching result for <b> $search </b>. </br> </br> 1. Try more general words. for example: If you want to search 'how to create a website' then use general keyword like 'create' 'website' </br> 2. Try different words with similar meaning </br> 3. Please check your spelling";
else {
echo "$foundnum results found !<p>";

while( $runrows = mysqli_fetch_assoc($run ) ) {
$vendor = $runrows ['vendor_name'];
$color = $runrows ['color_name'];
$desc = $runrows ['desc'];
$styleno = $runrows ['style_no'];
$styledes = $runrows ['style_desc'];
$url = $runrows ['order_url'];

echo "<a href='$url'>$vendor $color $desc Style #$styleno</a> f$styledes</p>";

}
}

}
}
?>
6:33 pm on Mar 23, 2016 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 16, 2009
posts: 56
votes: 3


Have I posted this in the wrong forum? Please let me know if I have and in what forum I should post to receive assistance.

Thank you...if anyone is listening!
2:34 pm on Apr 21, 2016 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12555
votes: 3


The first issue is that I know I need to make certain that I am preventing sql injection, but do not know exactly where to place that code.


Never trust user-supplied data. Any values you are going to use in SQL are going to need to be escaped, at the very least. The PHP MySQL functions provide a couple of ways to prepare your statements for query execution. Have a look through the functions, particular those that escape data:

[php.net...]
[php.net...]

You can also use prepared statements.