search engine

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
amirbwb
Forum Commoner
Posts: 89
Joined: Sat Oct 30, 2010 6:10 pm

search engine

Post by amirbwb »

hello :D:D i am trying to to make a search engine in my localhost site::

##########################################################################

Code: Select all

...

$search=$_POST['search'];
$inside=$_POST['inside'];
$order=$_POST['order'];
$ad=$_POST['ad'];
if(!isset($inside)|| $inside==''){$inside='subjects';}
if(!isset($order)|| $order==''){$order='quest_id';}
if(!isset($ad)|| $ad==''){$ad='ASC';}

mysql_select_db($database_login, $login);
$query_quest = "SELECT * FROM questions WHERE $inside LIKE '%$search%' ORDER BY $order $ad";
$quest = mysql_query($query_quest, $login) or die(mysql_error());
$row_quest = mysql_fetch_assoc($quest);
$totalRows_quest = mysql_num_rows($quest);
?>
...

Code: Select all

<form id="form1" name="form1" method="post" action="">
      <p>
        <label>
          <input name="search" type="text" id="textfield" size="100" value="<?php echo $search; ?>" />
        </label>
        <label>
          <input type="submit" name="button" id="button" value="Search" />
        </label>
      </p>
      <p>
        <label>
          inside:
          <select name="inside" id="inside">
            <option value="content">question</option>
            <option value="subjects" selected="selected">subject</option>
            <option value="userid">user_id</option>
          </select>
        </label>
      </p>
      <p>order by
        <label>
          <select name="order" id="order">
            <option value="userid">user id</option>
            <option value="id">quest ID</option>
            <option value="subjects" selected="selected">subject</option>
            <option value="content">question</option>
          </select>
        </label>
        <label>
          <select name="ad" id="ad">
            <option value="ASC" selected="selected">Ascending</option>
            <option value="DESC">Descending</option>
          </select>
        </label>
      </p>
    </form>
everything is ok with this code but the problem is that i tried to hack my site so i entered ' in the field and the result was :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' ORDER BY quest_id ASC' at line 1
so maybe this site will be hacked by sql injection or something similar ...

can someone gives me a solution
i was thinking to allow only letters or a similar script but actually i didn't find it and I'm not sure that this is the best solution
thanks for helping
:crazy: :crazy: PLEASE DO NOT POST REPLIES THAT DOESN'T HELP ME FIND THE SOLUTION MERCIIIIII^^
s992
Forum Contributor
Posts: 124
Joined: Wed Oct 27, 2010 3:06 pm

Re: search engine

Post by s992 »

I think this is probably what you're looking for: http://us2.php.net/mysql_real_escape_string
Post Reply