Code: Select all
include "dataLib.php";
// *check username is safe*
$username = 0;
$username = check_alphanum($_SESSION['username']);
// *check userlevel is safe*
$userlevel = 0;
$userlevel = check_int($_SESSION['userlevel']);
// *check memberID is safe*
$memberID = 0;
$memberID = check_int($_SESSION['memberID']);
// CONNECT TO DB (Global Function)
$dbConn = 0;
$dbConn = connectToDB();
// *check username is safe*
$commonName = 0;
$commonName = check_string($_POST['commonName']);
$species = 0;
$species = check_string($_POST['species']);
$genus = 0;
$genus = check_string($_POST['genus']);
$categoryID = 0;
$categoryID = check_int($_POST['category']);
$authorID = 0;
$authorID = check_int($_POST['author']);
$category = 0;
$category = check_string(read_cat($categoryID));
$author = 0;
$author = check_string(read_cat($authorID));
$sql = "SELECT * FROM profile WHERE MATCH (commonName, species, genus) AGAINST ('$commonName $species $genus')";
$result = $result = mysql_query($sql, $dbConn) or die (mysql_error());
$numrows = mysql_num_rows($result); // Number of rows returned from above query.
if ($numrows < 1)
{
echo 'No results were found matching your query: <br />';
echo 'Common Name: '.$commonName;
}
while($row = mysql_fetch_object($result))
{
echo '<p>';
echo 'Common Name: '.$row->commonName.'<br />';
echo 'Scientific name: '.$row->genus.' '.$row->species.'<br />';
echo '</p>';
}Code: Select all
function make_safe($var)
{
$var = mysql_real_escape_string($var);
$var = addslashes(trim($var));
return $var;
}
// *integer checking*
function check_int($var)
{
if (ctype_digit($var))
{
return make_safe($var);
}
else
{
return NULL;
session_write_close();
header("Location: " . $login);
}
}
// *alpha numeric checking*
function check_alphanum($var)
{
if (ctype_alnum($var))
{
return make_safe($var);
}
else
{
return NULL;
session_write_close();
header("Location: " . $login);
}
}
// *string checking*
function check_string($var)
{
if (ctype_alpha($var))
{
return make_safe($var);
}
else
{
return NULL;
session_write_close();
header("Location: " . $login);
}
}Is the code secure?
Is the code as quick as it can be - including the SQL?
Also.. that search works fine if you put a full name in (i.e. a common name like 'Molly'), but doesn't work if you put 'Mol'. Is there any way I can do a wildcard search using full text indexing?
And, what is the quickest way to bring up a full set of results from a table? Simply SELECT * FROM table?
Regards,
Duncan