Tariq Ismail Dalvi wrote:
Hello Chris,
I am inserting complete script for you to have a look at and was using
$s = $pages
// Get the search variable from URL
$var = @$_GET['q'] ;
$trimmed = trim($var); //trim whitespace from the stored variable
// rows to return
$limit=10;
// check for an empty string and display a message.
if ($trimmed == "")
{
echo "<p>Please enter a search...</p>";
exit;
}
// check for a search parameter
if (!isset($var))
{
echo "<p>We dont seem to have a search parameter!</p>";
exit;
}
I'd change that to:
if (!isset($_GET['q'])) {
echo "Search for something - or some other error message";
exit;
}
$search_term = trim($_GET['q']);
// Build SQL Query
$query = "select * from mytable where massage like '%".$trimmed."%'
order by
id";
You have sql injection here. You need to use mysql_real_escape_string:
$query = "select * from table where message like '%" .
mysql_real_escape_string($search_term) . "%'";
$numresults=mysql_query($query);
$numrows=mysql_num_rows($numresults);
// If we have no results, offer a google search as an alternative
if ($numrows == 0)
{
echo "<h4>Results</h4>";
echo "<p>Sorry, your search: "" . $trimmed . "" returned zero
results</p>";
}
You have an xss injection problem here. You need to use htmlentities or
htmlspecialchars when you display user supplied input:
echo "Your search for "" . htmlspecialchars($trimmed) . ""
returned no results";
exit;
// next determine if s has been passed to script, if not use 0
if (empty($s)) {
$s=0;
}
// get results
$query .= " limit $s,$limit";
$result = mysql_query($query) or die("Couldn't execute query");
You're re-running your query - this time with a limit.
The first query should either be a 'COUNT' (so it doesn't actually
retrieve all the results and return them it just does a count), or if
this is a mysql specific query (and will only ever be), possibly use
their special 'SQL_CALC_ROWS_FOUND' function (search
http://dev.mysql.com for it).
If it's a count, the first part will be something like:
$query = "select count(message_id) AS message_count from table where
message like '%" . mysql_real_escape_string($search_term) . "%'";
$results = mysql_query($query);
$row = mysql_fetch_assoc($results);
$messages_found = $row['message_count'];
Then run your actual search query with the limit so you only fetch 10
results.
// display what the person searched for
echo "<p>You searched for :<font color=blue size=+2> "" . $var .
""</font>";
XSS issue here again.
From here, rewrite it so it's a little easier to follow (and please use
variable names that make sense! $s and $q do not).
// work out pagination
// number_of_pages will be:
// $messages_found / $number_of_results_per_page
$number_of_pages = $messages_found / $number_of_results_per_page;
$current_page = 0;
if (isset($_GET['page'])) {
$current_page = (int)$_GET['page'];
}
// if we're on page 0, don't show a prev link
// if it's less than 0, someone is trying to be nasty!
if ($current_page > 0) {
echo '<a href="' . $_SERVER['PHP_SELF'] . '?q=' . $search_term .
'&page=' . ($current_page - 1) . '>Prev</a>';
}
// if we're not on the last page, show a next link
if ($current_page < $number_of_pages) {
echo "Next link here";
}
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
