Re: [PHP] form textbox with search

Tue, 20 Apr 2004 20:25:45 -0700

On 21/04/2004, at 12:39 PM, Anthony Ritter wrote:

$searchtext = $_POST['searchtext'];

Firstly, using POST data directly in an SQL query is *really dangerous*. At the very least, you might want to trim it's length, strip tags, and trim white space.

$searchtext = trim(strip_tags(sub_str($_POST['searchtext'],0,255)));

Search the web (or even the PHP list) for "cleaning user input" and "sql injection" for starters.


<?php
$dbcnx = mysql_connect('localhost', 'root', 'mypass');
mysql_select_db('sitename');

// The basic SELECT statement
$select = 'SELECT DISTINCT merch.ID, merch.blurb, merch.price';
$from   = ' FROM merch';
$where  = ' WHERE 1=1  ';

$lid = $_REQUEST['lid'];
if ($lid != '') { // An lot is selected
  $where .= " AND lid='$lid'";
}

$searchtext = $_POST['searchtext'];
if ($searchtext != '') { // Some search text was specified
  $where .= " AND blurb LIKE '%$searchtext%'";
}
?>

[snip]

I am trying to work out a way to display a page that might say - "Please
enter a word" if the user fails to insert a word in the textbox.

I think you need to tweak your logic a bit.


<?php
$dbcnx = mysql_connect('localhost', 'root', 'mypass');
mysql_select_db('sitename');

$lid = trim(strip_tags(sub_str($_POST['lid'],0,255)));
$searchtext = trim(strip_tags(sub_str($_POST['searchtext'],0,255)));

if(!$searchtext)
{
echo "please enter some search text";
exit;
}
else
{
// basic search
$sql = "SELECT DISTINCT ID, blurb, price FROM merch WHERE blurb LIKE %{$searchtext}%";
if($lid)
{
// add on lid if needed
$sql .= " AND lid='{$lid}'";
}
$sql .= " ORDER BY something" // add on an order by?
$sql .= " LIMIT 50"; // add on a LIMIT?
$res = mysql_query($sql);

        if($res && mysql_num_rows($res))
                {
                echo "<table>";
                echo "<tr><th>Click for details</th>...</tr>";
                while($row = mysql_fetch_array($res))
                        {
                        echo "<tr><td>{$row['blurb']}</td>...</tr>";
                        }
                echo "</table>";
                }
        else
                {
                echo "your search returned 0 matches";
                }
        }
?>


Of course there's plenty more that this script could and should do, but the basics are there. You need to alter your logic so that you:

- only perform a search query when/if needed
- output meaningful error messages for different instances
- ensure that your GET or POST data is as clean and safe as possible


Good luck!

NOTE: the above code is obviously untested and slapped together...


---
Justin French
http://indent.com.au

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to