search with php on my site problem

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Yousef Altaf
    New Member
    • Jun 2011
    • 22
    #1

    search with php on my site problem

    hi every one I have a problem with my search on my site I don't understand why it give me this error

    this is my form code

    Code:
    <form action="index.php?cat=search_results&learn_id=1" method="post">
      <div id="topSearchBodyStyle">
        <input type="text" name="search" class="topSearchTextBackground" />
      </div>
      <div id="topSearchButtonStyle">
        <input type="submit" name="submit" class="topSearchButtonBackground" value="" />
      </div>
    </form>
    and this is the page which have the php code

    Code:
    <?php 

    $getSearch = $_POST['search'];
    trim($getSearch);

    if(!get_magic_quotes_gpc()) {
        $getSearch = addslashes($getSearch);
        }

    $connectToDb = "select * from tutorials where tutorial_title like '%.$getSearch.%'"; 
    $searchResults = $db->query($connectToDb) or die($db->error);
    if ($searchResults){
        $numResultas = $searchResults ->num_rows;
        echo "<p>Found : " . $numResultas . "</p>";
        while($row = mysqli_fetch_array($searchResults)) {

            echo $row['tutorial_title'];    
        }
    }else{
        echo "cant connect";
        }
?>

    any idea why it give me this note about "Undefined index: search" and why the results come "0"

    Thanks for you all.
    Tags: html, mysqli, php
    • Atli
      Recognized Expert Expert
      • Nov 2006
      • 5062
      #2
      Hey.

      Your SQL query string would be the problem:
      Code:
      "select * from tutorials where tutorial_title like '%.$getSearch.%'"
      More specifically, this part: '%.$getSearch.% '

      The end result, assuming $getSearch turns out to be, say: "hello world", would be:
      Code:
      "select * from tutorials where tutorial_title like '%.hello world.%'"
      Do you see the problem there? The two dots, which you probably meant to be used to concat the variable to the string, are actually a part of the string and are therefore corrupting the search terms.

      You need to remove the dots, or close the string before and after them.


      Also, on another topic. The addslashes function is NOT enough to properly escape user input that is going into a MySQL query. Rather than checking if magic quotes are disabled and adding slashes, you should be checking whether it is ON and removing the slashes. - The magic_quotes feature has already been removed from the latest PHP version, PHP 5.4. It shouldn't be used.

      To properly escape user input bound for a MySQL query, use either the mysql_real_esca pe_string function if you are are using the old MySQL extension, or the mysqli::real_es cape_string method/function if you are using the Improved MySQL extension.

      Or better yet, if you are using the Improved MySQL extension or PDO, use prepared statements instead. They are FAR safer than escaping the input.

        Comment

        • Yousef Altaf
          New Member
          • Jun 2011
          • 22
          #3
          Thanks a lot for you brother Atli happy that I got your replay first I have fixed my Mysqli query from two days but I didn't take care about addslashes and magic_quotes Thanks a lot for the information I have updated my code to be some thing like that.

          Code:
          $getSearch = clean_text($_POST['search']);
          and the function will be this.

          Code:
          function clean_text($text='')

			{
				$text=trim($text);
				$text=strip_tags($text);
				$text=addslashes($text);
				$text=htmlspecialchars($text);	
			return $text;
			}
          thanks for replaying to me and thanks a lot for the info.

          regards
          Yousef Altaf

            Comment

            Previous template Next
            Working...