Page 1 of 1

simple mysql database search. Help

Posted: Mon Aug 18, 2008 3:05 am
by jwrigh26
Hey Everybody,
if anyone knows why this happens, I would love to here the explanation.
I've built a simple search bar for a forum I'm building. Everything is working how I want it to,
but whenever I put a " ' " in the search bar and check for say man's best friend , something happens and I get a blank screen with no errors or any feedback to let me know what's going on.

is this a glitch from mysql or what???? :banghead:

here is the code for the search bar

Code: Select all

<?php
/*  Program:  search.php
  *  Desc:  allow search of database.  
  */
  include ("functions_main.inc");
@$SearchString=(htmlentities($_POST[SearchString]));
if ($SearchString == "") {
echo "Nothing to Search For";
exit();
}
/* Connect to myql*/
 
$cxn = Connect_to_db("forumVars.inc");
$result= mysqli_query($cxn,"SELECT * FROM Post,Thread WHERE body LIKE '%$SearchString%'AND parent_thread=thread.id ORDER BY post.id") or die(mysql_error());
$Numrows=mysqli_num_rows($result);
 
echo "<h1>Search Results</h1><hr>";
/*find out if it's a bad search*/
if ($Numrows==0){
    echo "<h4>No results were found</h4>";
    }else{
/*if not print out subject and body of post */
for ($i = 0; $i < mysqli_num_rows ($result ); $i++)
        {
    $row = mysqli_fetch_assoc( $result  );
    
    Echo   '<a href="viewThread.php?threadID='.$row['parent_thread'].'">'
    .$row['subject']. "</a></br>\n".$row['body'] ."<hr>";
    } 
?>
}
If anybody could answer it would be most GREAT :D

Re: simple mysql database search. Help

Posted: Mon Aug 18, 2008 3:29 am
by desmi
You need to mysql_real_escape_string() your searchstring.. that search is also very insecure without it..


edit: Just noticed you're using mysqli, check out the corresponding command for it..

Re: simple mysql database search. Help

Posted: Mon Aug 18, 2008 7:53 am
by jwrigh26
Thanks for pointing that out.
Kind of feel dumb. :dubious:
That solved the problem perfectly

Cheers,
Justin