Yesterday i made a PHP Script so that i can store all my ebooks on the database, so i can easilly access them (and of course search them). The search engine is working fine for any books that their title DOESN'T CONTAIN any kind of quotes, single (') or double(").
This is the search function:
Code: Select all
<?php
function searchTheDatabase($what) {
print("You searched for: <b><i>$what</i></b><br>\n");
$query = "SELECT * FROM ebooks WHERE bookName LIKE '%".addslashes($what)."%' ORDER BY bookName ";
$dbResult = mysql_query($query);
if(!$dbResult) {
print("<br />A Database Error Has Occured!<br />\n");
print("Query Used: <b>$query</b><br />\n");
print("MySQL Replied: <b>".mysql_error()."</b><br />\n");
}
else {
print("<ul>\n");
while($row = mysql_fetch_row($dbResult)) {
$bookID=$row[0];
$bookName=$row[1];
$bookSize=$row[2];
$cdVol=$row[3];
print(" <li>$bookID. <b>".stripslashes($bookName)."</b> (<font color="Brown"><b>$bookSize</b></font> KB) [CD Vol. <font color="#993366"><b>$cdVol</b></font>]</li>\n");
}
print("</ul>\n");
if(!mysql_num_rows($dbResult)) {
print("Query Used: $query<br />\n");
print("Nothing found \n");
}
}
}
?>Code: Select all
<form method="post" action="search.php">
Search The Book Title: <input type="text" name="what" /><br />
<input type="submit" name="searchTheDB" value="Search" /> <input type="reset" />
</form>Code: Select all
<?php
if(isset($_POST['searchTheDB'])) {
print("<hr />\n");
print("<p class="head"><b>Search Results</b></p>\n");
searchTheDatabase($_POST['what']);
}
?>The booknames are stored in the database with the slashes added (have used the addslashes() function)You searched for: O''Reilly
Query Used: SELECT * FROM ebooks WHERE bookName LIKE '%O\\''Reilly%' ORDER BY bookName
Nothing found
If I try the query WITHOUTe addslashes() function..
Code: Select all
<?php
$query = "SELECT * FROM ebooks WHERE bookName LIKE '%".$what."%' ORDER BY bookName ";
?>PS. Sorry for my bad english, and thanx a lot to anyone who may provide any helpYou searched for: O''Reilly
Query Used: SELECT * FROM ebooks WHERE bookName LIKE '%O''Reilly%' ORDER BY bookName
Nothing found
