A problem with my search

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Wldrumstcs
Forum Commoner
Posts: 98
Joined: Wed Nov 26, 2003 8:41 pm

A problem with my search

Post by Wldrumstcs »

I am creating my own forum for good practice, but I have run into a few bumps. I am searching a DB for keywords from posts or replies in a DB. First of all, in my DB, I have a table named 'reply' and another named 'post.' My problems are: when someone types in only a username, the search page doesn't come up with just that person's posts, but rather everyone's. Also, I could not think of a way to set the '$reply_link' variable. I need it to work so that if a reply comes up with a hit, the original topic it was posted under comes up in the search results with a '#$reply_id' come at the end of the link. Sorry if any of that is confusing... And don't mind the [] not having quotes in them. I know it isn't proper PHP, but I get lazy. I don't think that that is the problem though.

Code: Select all

<?
$searchin2 = "";
$searchmember2 = "";
$searchmember3 = "";
$searchforum2 = "";
$searchforum3 = "";


IF($_GET[submit] == "Search"){
IF($_GET[query] != "" OR $_GET[member] != ""){

echo "
<html>

<head>
<title>Search Results</title>
</head>

<body>

<p><font size='5'><b>Search Results</b></font></p>
<table border='0' width='100%' cellspacing='0' cellpadding='0'>
	<tr>
		<td align='left' width='55%'><b>Topic</b></td>
		<td align='left' width='20%'><b>Date</b></td>
		<td align='left' width='25%'><b>Forum</b></td>
	</tr>";
	
	include('connect.php');

$user_id_query = mysql_query("SELECT user_id FROM users WHERE username='$_GET[member]' LIMIT 1");         
		while($row = mysql_fetch_array($user_id_query)) 
      { 
        $user_id = $row['user_id']; 
}

IF($_GET[member] == ""){
$searchmember2 = "";
}ELSEIF($_GET[member] != ""){
$searchmember2 = "AND post_userid='$user_id'";
$searchmember3 = "AND reply_user_id='$user_id'";
}
IF($_GET[searchforum] == ""){
$searchforum2 = "";
$searchforum3 = "";
}ELSEIF($_GET[searchforum] != ""){
$searchforum2 = "AND post_forum='$_GET[searchforum]'";
$searchforum3 = "AND reply_forum='$_GET[searchforum]'";
}
IF($_GET[searchin] == "message"){
$searchin2 = "post_text";
}ELSEIF($_GET[searchin] == "subject"){
$searchin2 = "post_subject";
}

$search_reply = mysql_query("SELECT * FROM reply WHERE reply_text LIKE '%$_GET[query]%' OR reply_user_id='%$_GET[member]%' $searchmember3 $searchforum3 ORDER BY reply_date DESC"); 
   while($row2 = mysql_fetch_array($search_reply)){ 
$reply_post_id = $row2["reply_post_id"]; 
$reply_id = $row2["reply_id"];

IF($reply_post_id == ""){
$searchreply = "";
$reply_link = "";
}ELSEIF($reply_post_id != ""){
$searchreply = "AND post_id='$reply_post_id'";
$reply_link = "#$reply_id";
}
$row2_count++;
}

$search_thread = mysql_query("SELECT * FROM post WHERE $searchin2 LIKE '%$_GET[query]%' OR post_userid LIKE '%$_GET[member]%' $searchmember2 $searchforum2 $searchreply ORDER BY post_date DESC"); 
   while($row = mysql_fetch_array($search_thread)){ 

$forum_id=$row["post_forum"];
$post_subject=$row["post_subject"];
$post_id = $row["post_id"]; 
$post_date = $row["post_date"];

$date = date("F j, Y",$post_date);

$forum_name_query = mysql_query("SELECT forum_name FROM forum WHERE forum_id='$forum_id'");

      while($row = mysql_fetch_array($forum_name_query)) 
      { 
        $forum_name = $row['forum_name']; 
}

	echo "
	<tr>
		<td align='left' width='55%'><a href='viewtopic.php?t=$post_id$reply_link'>$post_subject</a></td>
		<td align='left' width='20%'>$date</td>
		<td align='left' width='25%'><a href='viewforum.php?f=$forum_id'>$forum_name</a></td>
	</tr>
		";
		$row_count++;
}}
?>
</table>

</body>

</html>
<?
}ELSEIF($_GET[query] == "" AND $_GET[member] == ""){
?>
<html>

<head>
<meta http-equiv='Content-Language' content='en-us'>
<title>Search the Forums</title>
</head>

<body>

<form method='GET' action='search.php'>
	<table border='0' width='100%' cellspacing='1'>
		<tr>
			<td align='right' width='50%'>Search Words:</td>
			<td align='left' width='50%'>
			<input type='text' name='query' size='34'></td>
		</tr>
		<tr>
			<td align='right' width='50%'>Search Forum:</td>
			<td align='left' width='50%'><select size='1' name='searchforum'>
			<option value=''>Choose a Forum</option>
			<option value=''>--------------</option>
			<option value=''>All Forums</option>
			<option value=''>--------------</option>
			<?
include('connect.php');
$query = mysql_query("SELECT * FROM forum ORDER BY forum_name ASC");

while($row = mysql_fetch_array($query)){ 
$forum_name=$row["forum_name"];
$forum_id=$row["forum_id"];


	echo "
		  <option value='$forum_id'>$forum_name</option>
			";
			$i++;
}
?>
			
			</select></td>
		</tr>
		<tr>
			<td align='right' width='50%'>Search In:</td>
			<td align='left' width='50%'><select size='1' name='searchin'>
			<option selected value='message'>Entire Message</option>
			<option value='subject'>Subject</option>
			</select></td>
		</tr>
		<tr>
			<td align='right' width='50%'>Member Name:</td>
			<td align='left' width='50%'>
			<input type='text' name='member' size='26'></td>
		</tr>
	</table>
	<p>&nbsp;</p>
	<p align='center'><input type='submit' value='Search' name='submit'></p>
</form>

</body>

</html>
<?
}
?>

feyd | hey look ma,

Code: Select all

works now. [/color]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I believe the problem has to do with your usage of LIKE and OR. You have an SQL injection potential as well.

I have seen odd behaviour from not quoting named array indices. I don't remember the circumstances, but I do remember running into issues with it.
Wldrumstcs
Forum Commoner
Posts: 98
Joined: Wed Nov 26, 2003 8:41 pm

Post by Wldrumstcs »

Any ideas how I should change my LIKE/OR statement? Also, what is sql injection potential?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

try switching to AND.. make reply_user_id check with LIKE .. or better yet, dynamically build the matching syntax by looking for wildcards (if you have them) in the request information. Research into full-text searching, as it may help you find stuff easier/faster.

The sql injection potential comes from directly using $_GET data inside the query string, without any sanitizing or guarding of any nature.
Post Reply