Php/mysql search feature showing all items

laflair13 · March 4, 2015, 6:38pm

I have a search area on my site and when I put in a search keyword, the results.php page has every item on it. I have searched and searched and I cannot figure out why it is doing it.

Any help would be greatly appreciated.

search form

<form id="search-form123" action="results.php" method="POST">
     <div class="offlajn-ajax-search-inner">
          <input type="text" name="keyword" id="search-area123" value="" autocomplete="off" placeholder="Search Here...">
          <input type="submit" name="Submit" value="Search" id="search-area123">
          <input type="hidden" name="Submit" value="com_search">
 </form>

results.php (at the top)

    <?php 
include_once('mysql_connect.php');

if (!isset($_POST['search'])) 
$keyword = $_POST['search'];
$search_sql="SELECT * FROM new_equip WHERE itemname LIKE  '%" .$keyword. "%'";
$search_query=mysql_query($search_sql);
if(mysql_num_rows($search_query)!=0)  {
$search_rs=mysql_fetch_assoc($search_query);
}

$eid = $row['id'];
$itemname = $row['itemname'];
$model = $row['model'];
$manufactuer = $row['manufactuer'];
$desc = $row['desc'];
$imagename = $row['image'];

?>

where results are displayed

    <?php if (mysql_num_rows($search_query)!=0){ do {?>
     <p><a href="new-product.php?Item=<?php echo $search_rs['id']; ?>"><?php echo $search_rs ['itemname']?></a></p>
<?php } while ($search_rs=mysql_fetch_assoc($search_query)) ;
    	    } else { echo "No Results Found";
   } ?>

SpacePhoenix · March 4, 2015, 7:12pm

Your script is wide open to SQL Injection attack as it allows user-submitted data near the database without having first being sanitized/validated and escaped.

Also you need to be aware that the mysql_* extension was deprecated as of version 5.5 of PHP and is being removed from version 7 (the next version). You should be now using either the mysqli_* extension or PDO and in either case you should be making use of prepared statements whenever you’re dealing with user submitted data

laflair13 · March 4, 2015, 7:17pm

Appreciate the info. I am learning mysqli now so that I can switch my entire site over. Is there anyway you can point me to where I can learn how to fix this?

laflair13 · March 5, 2015, 3:28am

I was able to figure it out using mysqli. Took a lot of trial and error but it paid off.

droopsnoot · March 5, 2015, 12:06pm

Mysql comments aside, and noting that you’ve already fixed it, surely this line

if (!isset($_POST['search']))
$keyword = $_POST['search'];

should read

if (isset($_POST['search']))
$keyword = $_POST['keyword'];

as that’s how you’ve named the text box in your input form. But, you’re surely missing an open-brace to make the entire query section conditional on the $POST contents?

Also having multiple page elements with the same CSS id may well be asking for trouble, ids should be unique on the page.

system · June 4, 2015, 7:19pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.