/josa
search_result.php
Code: Select all
<?php
include('../georgedb.php');
//Make a list of column names that are valid. It's a good practice
//not to trust variables passed from a form and this approach makes
//it harder to forge post variables in order to run for example a
//malicious SQL command.
$valid_columns = array('category' => 1,
'date' => 1,
'name' => 1);
//This is the base query we are building on.
$query = "SELECT * FROM articles";
//-------------------- 1. Add WHERE clause
//We check against the list of legal columns to make sure nobody
//tampered with the form data.
if($valid_columnsї"{$_POSTї'search_column']}"] == 1) {
$query .= " WHERE {$_POSTї'search_column']} LIKE";
}
//-------------------- 2. Add search text ('%text%')
//This small hack checks if magic quotes are enabled and escapes
//the string based on that. If magic quotes are enabled all form
//data is automatically escaped. By doing this check we avoid
//escaping the string twice.
$query .= " '%" . ((get_magic_quotes_gpc() == 1) ?
$_POSTї'search_text'] : addslashes($_POSTї'search_text'])) . "%'";
//-------------------- 3. Add ORDER BY clause
if($valid_columnsї"{$_POSTї'order_by']}"] == 1) {
$query .= " ORDER BY {$_POSTї'order_by']}";
}
//-------------------- 4. Add ASC/DESC
//Choose ascending or descending sort order. I use a ternary operator
//which can look a bit strange if you're not used to them.
$query .= $_POSTї'sort_order'] == "asc" ? " ASC" : " DESC";
$result = mysql_query($query);
?>
<html>
<head><title>Search result</title></head>
<body>
<center>
<table border="0" cellspacing="1">
<tr>
<td width="10"></td>
<td width="100"><b><font face="Verdana" size="2">Date</font></b></td>
<td width="315"><b><font face="Verdana" size="2">Title</font></b></td>
<td width="163"><b><font face="Verdana" size="2">Category</font></b></td>
</tr>
<?php
if(mysql_num_rows($result) == 0) {
?>
<tr>
<td> </td>
<td colspan="3"><font face="verdana" size="2">No articles found...</font></td>
</tr>
</table>
<?php
} else {
while($data = mysql_fetch_assoc($result)) {
?>
<tr>
<td width="10"></td>
<td width="100"><font face="verdana" size="2"><?=$dataї'date']?></font></td>
<td width="315"><font face="verdana" size="2"><a href="<?=$dataї'link']?>" style="color:#000000"><?=$dataї'name']?></a></font></td>
<td width="163"><font face="verdana" size="2"><a href="<?=$dataї'catlink']?>" style="color:#000000"><?=$dataї'category']?></a></font></td>
</tr>
<?php
}
?>
</table>
<form action="search_result.php" method="post" name="sort_form">
<table border="0" cellspacing="1">
<tr>
<td><font face="verdana" size="2">order by </font></td>
<td>
<font face="verdana" size="2">
<select name="order_by">
<option value="category">Category</option>
<option value="date">Date</option>
<option value="name">Title</option>
</select>
</font>
</td>
<td><font face="verdana" size="2"><input type="radio" name="sort_order" value="asc" checked>ascending</font></td>
<td><font face="verdana" size="2"><input type="radio" name="sort_order" value="desc">descending</font></td>
<td><font face="verdana" size="2"><input type="submit" name="submit" value="Sort"></font></td>
</tr>
</table>
<input type="hidden" name="search_column" value="<?=$_POSTї'search_column']?>">
<input type="hidden" name="search_text" value="<?=$_POSTї'search_text']?>">
</form>
<?php
}
?>
</center>
</body>
</html>