##########################################################################
Code: Select all
...
$search=$_POST['search'];
$inside=$_POST['inside'];
$order=$_POST['order'];
$ad=$_POST['ad'];
if(!isset($inside)|| $inside==''){$inside='subjects';}
if(!isset($order)|| $order==''){$order='quest_id';}
if(!isset($ad)|| $ad==''){$ad='ASC';}
mysql_select_db($database_login, $login);
$query_quest = "SELECT * FROM questions WHERE $inside LIKE '%$search%' ORDER BY $order $ad";
$quest = mysql_query($query_quest, $login) or die(mysql_error());
$row_quest = mysql_fetch_assoc($quest);
$totalRows_quest = mysql_num_rows($quest);
?>Code: Select all
<form id="form1" name="form1" method="post" action="">
<p>
<label>
<input name="search" type="text" id="textfield" size="100" value="<?php echo $search; ?>" />
</label>
<label>
<input type="submit" name="button" id="button" value="Search" />
</label>
</p>
<p>
<label>
inside:
<select name="inside" id="inside">
<option value="content">question</option>
<option value="subjects" selected="selected">subject</option>
<option value="userid">user_id</option>
</select>
</label>
</p>
<p>order by
<label>
<select name="order" id="order">
<option value="userid">user id</option>
<option value="id">quest ID</option>
<option value="subjects" selected="selected">subject</option>
<option value="content">question</option>
</select>
</label>
<label>
<select name="ad" id="ad">
<option value="ASC" selected="selected">Ascending</option>
<option value="DESC">Descending</option>
</select>
</label>
</p>
</form>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' ORDER BY quest_id ASC' at line 1
so maybe this site will be hacked by sql injection or something similar ...
can someone gives me a solution
i was thinking to allow only letters or a similar script but actually i didn't find it and I'm not sure that this is the best solution
thanks for helping