A Question about searching a MySQL database..
Posted: Sat Jun 21, 2003 1:12 pm
hello people.. thanx for taking time to read this 
Yesterday i made a PHP Script so that i can store all my ebooks on the database, so i can easilly access them (and of course search them). The search engine is working fine for any books that their title DOESN'T CONTAIN any kind of quotes, single (') or double(").
This is the search function:
The form that is used is:
When the form is parsed the following code is executed:
As i said to you the problem is when i try to search something that contains quotes e.g. When i type O'Reilly the following message is appeared:
If I try the query WITHOUTe addslashes() function..
once again the script fails and the following message appears:
[/quote]
Yesterday i made a PHP Script so that i can store all my ebooks on the database, so i can easilly access them (and of course search them). The search engine is working fine for any books that their title DOESN'T CONTAIN any kind of quotes, single (') or double(").
This is the search function:
Code: Select all
<?php
function searchTheDatabase($what) {
print("You searched for: <b><i>$what</i></b><br>\n");
$query = "SELECT * FROM ebooks WHERE bookName LIKE '%".addslashes($what)."%' ORDER BY bookName ";
$dbResult = mysql_query($query);
if(!$dbResult) {
print("<br />A Database Error Has Occured!<br />\n");
print("Query Used: <b>$query</b><br />\n");
print("MySQL Replied: <b>".mysql_error()."</b><br />\n");
}
else {
print("<ul>\n");
while($row = mysql_fetch_row($dbResult)) {
$bookID=$row[0];
$bookName=$row[1];
$bookSize=$row[2];
$cdVol=$row[3];
print(" <li>$bookID. <b>".stripslashes($bookName)."</b> (<font color="Brown"><b>$bookSize</b></font> KB) [CD Vol. <font color="#993366"><b>$cdVol</b></font>]</li>\n");
}
print("</ul>\n");
if(!mysql_num_rows($dbResult)) {
print("Query Used: $query<br />\n");
print("Nothing found \n");
}
}
}
?>Code: Select all
<form method="post" action="search.php">
Search The Book Title: <input type="text" name="what" /><br />
<input type="submit" name="searchTheDB" value="Search" /> <input type="reset" />
</form>Code: Select all
<?php
if(isset($_POST['searchTheDB'])) {
print("<hr />\n");
print("<p class="head"><b>Search Results</b></p>\n");
searchTheDatabase($_POST['what']);
}
?>The booknames are stored in the database with the slashes added (have used the addslashes() function)You searched for: O''Reilly
Query Used: SELECT * FROM ebooks WHERE bookName LIKE '%O\\''Reilly%' ORDER BY bookName
Nothing found
If I try the query WITHOUTe addslashes() function..
Code: Select all
<?php
$query = "SELECT * FROM ebooks WHERE bookName LIKE '%".$what."%' ORDER BY bookName ";
?>PS. Sorry for my bad english, and thanx a lot to anyone who may provide any helpYou searched for: O''Reilly
Query Used: SELECT * FROM ebooks WHERE bookName LIKE '%O''Reilly%' ORDER BY bookName
Nothing found