Hi all,
I’ve designed a “Name Finder” script which searches a database of names and returns the results based on the search string entered into a form.
I wanted to make a few changes but am a little stuck and hope somebody can help me.
The following is the current PHP Script:
<?php
$dbHost = '*******';
$dbUser = '*******';
$dbPass = '*******';
$dbDatabase = '*******';
$con = mysql_connect($dbHost, $dbUser, $dbPass) or trigger_error("Failed to connect to MySQL Server. Error: " . mysql_error());
mysql_select_db($dbDatabase) or trigger_error("Failed to connect to database {$dbDatabase}. Error: " . mysql_error());
// Set up error check and result check array
$error = array();
$results = array();
// First check if a form was submitted
if (isset($_GET['search'])) {
$searchTerms = trim($_GET['search']);
$searchTerms = strip_tags($searchTerms); // removes any html/javascript.
if (isset($_GET['searchgender'])) {
$searchgenderTerms = trim($_GET['searchgender']);
$searchgenderTerms = strip_tags($searchgenderTerms); // removes any html/javascript.
if (strlen($searchTerms) < 3) { // Checks search term is longer than 3 characters.
$error[] = "Search terms must be longer than 3 characters.";
} else {
$searchTermDB = mysql_real_escape_string($searchTerms); // Prevents sql injection.
}
if (strlen($searchgenderTerms) < 3) { // Checks search term is longer than 3 characters.
$error[] = "Search terms must be longer than 3 characters.";
} else {
$searchgenderTermDB = mysql_real_escape_string($searchgenderTerms); // Prevents sql injection.
}
}
// If there are no errors, search begins...
if (count($error) < 1) {
//The Query
$searchSQL = "SELECT name, gender, meaning, origin FROM names WHERE `name` LIKE '{$searchTermDB}' AND `gender` LIKE '{$searchgenderTermDB}' ";
$searchResult = mysql_query($searchSQL) or trigger_error("There was an error.<br/>" . mysql_error() . "<br />SQL Was: {$searchSQL}");
if (mysql_num_rows($searchResult) < 1) {
$error[] = "Sorry, we have no record of the name<br /> {$searchTerms} ({$searchgenderTerms}).";
}else {
$results = array(); // And now display results...
$i = 1;
while ($row = mysql_fetch_assoc($searchResult)) {
$results[] = "Name: <span id=\\"result\\">{$row['name']}</span><br /> Gender: <span id=\\"result\\">{$row['gender']}</span><br /> Origin: <span id=\\"result\\">{$row['origin']}</span><br /> Meaning: <span id=\\"result\\">{$row['meaning']}</span><br /><br />"; $i++;
}
}
}
}
function removeEmpty($var) {
return (!empty($var));
}
?>
The changes I want to make:
- The following part of the above script:
if (strlen($searchTerms) < 3) { // Checks search term is longer than 3 characters.
$error[] = "Search terms must be longer than 3 characters.";
} else {
$searchTermDB = mysql_real_escape_string($searchTerms); // Prevents sql injection.
}
This prevents SQL injection. But I want to add a set of 26 links (A-Z) to allow people to click the first letter and bring up a list of names beginning with that letter. I can’t do this with the above code active because such searches would be filtered out. So how do I remove the above piece of code and still prevent SQL injections.
- The code which controls the form and how the results are displayed is as follows:
<html>
<body>
<?php echo (count($error) > 0)?"<strong>Error</strong>: <br /><span id=\\"error\\">" . implode("<br />", $error) . "</span><br /><br />":""; ?> <form method="GET" action="<?php echo $_SERVER['../../../PHP_SELF'];?>" name="searchForm"> <strong>Enter a name to find it's origin and meaning: </strong> <input type="text" name="search" value="<?php echo isset($searchTerms)?htmlspecialchars($searchTerms):''; ?>" /> <br /><br />
<strong>Select Gender:</strong> <SELECT name="searchgender" value="<?php echo isset($searchgenderTerms)?htmlspecialchars($searchgenderTerms):''; ?>" />
<option>Male</option>
<option>Female</option>
</SELECT>
<br /><br />
<input type="submit" name="submit" value="Search!" />
</form>
<?php echo (count($results) > 0)?"You searched for: <span id=\\"terms\\">{$searchTerms} ({$searchgenderTerms})</span> - Here are your results:<br /><br />" . implode("", $results):""; ?>
</body>
</html>
I want to change this so that the results are displayed as links instead. For example: I will search for Chris and the results will be displayed as a list of links such as “Chris, Christopher, Christian” and the links (when clicked) provide the full details.
The script can currently be seen in action at the following URL:
I've Got Kids!: Baby Name Finder
I hope somebody can help me make these changes