2 Replies - 381 Views - Last Post: 10 October 2012 - 06:06 AM Rate Topic: -----

#1 c9-adams  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 98
  • Joined: 12-December 11

Search

Posted 09 October 2012 - 01:18 PM

hi guys i am currently trying to use a search function for my website. I have attached my file containing code which i have tried so far. Feedback would be greatly appreciated.

<?php # search.inc.php

/* 
 *	This is the search content module.
 *	This page is included by index.php.
 *	This page expects to receive $_GET['terms'].
 */

// Redirect if this page was accessed directly:
if (!defined('BASE_URL')) {

	// Need the BASE_URL, defined in the config file:
	require_once ('../includes/config.inc.php');
	
	// Redirect to the index page:
	$url = BASE_URL . 'index.php?p=search';

// Change the fields below as per the requirements
$db_host="localhost";
$db_username="root";
$db_password="<snipped>";
$db_name="search";
$db_tb_name="search";
$db_tb_atr_name="keywords";
 
//Now we are going to write a script that will do search task
// leave the below fields as it is except while loop, which will display results on screen
 
mysql_connect("$db_host","$db_username","$db_password");
mysql_select_db("$db_name");
 
$query=mysql_real_escape_string($_GET['terms']);
 
$query_for_result=mysql_query("SELECT * FROM $db_tb_name WHERE
 
$db_tb_atr_name like '%".$query."%'");
echo "<h2>Search Results</h2><ol>";
while($data_fetch=mysql_fetch_array($query_for_result))
{
    echo "<li>";
    echo substr($data_fetch[$db_tb_atr_name], 0,160);
    echo "</li><hr/>";
}
echo "</ol>";
 
mysql_close();
}
?>


This post has been edited by Atli: 09 October 2012 - 01:26 PM
Reason for edit:: Please post code in [code] tags, rather than attach it.


Is This A Good Question/Topic? 0
  • +

Replies To: Search

#2 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3637
  • View blog
  • Posts: 5,764
  • Joined: 08-June 10

Re: Search

Posted 09 October 2012 - 01:53 PM

Here are a few tips.

  • You are ignoring the return values for the mysql_connect and mysql_select_db calls. If they fail, then what? Your current script would just plow on, creating more problems seeing as the rest of the code depends on a MySQL connection to work.

    Always check the return values of functions!
    if (!mysql_connect($db_host,$db_username,$db_password) ||
        !mysql_select_db($db_name)) {
        trigger_error(mysql_error(), E_USER_ERROR);
    }
    
    

    Assuming error reporting is enabled - as it should always be on a development server - this will print out the error and stop the script in case the connection fails to be created.

  • Likewise, you are not properly checking the return value of the mysql_query call. If it fails, then ti will return false. If that happens and you pass it directly into the mysql_fetch_array function, that will also fail, and print a warning as well. (Again, assuming error reporting is enabled.) - Make sure that you check the $query_for_result before you use it!

  • You are using the $_GET['terms'] value before you check to see if it actually exists. Never, ever assume that user input exists. It must always be checked first, using either isset() or empty().
    if (!empty($_GET['terms'])) {
        // Do the search.
    } else {
        // Print an error.
    }
    
    


  • As you may have noticed, in my first example I removed the quotes around the variables. You shouldn't enclose variables in quote marks unless they are meant to be a part of a larger string.

  • Avoid using * in your SELECT queries. It usually returns more data than is needed. Instead always try to list the columns you need, and only the columns you need. In your case, the would be the column specified by the $db_tb_atr_name variable. SELECT `$db_tb_atr_name`.

  • Note as well the back-ticks I put around the variable there. Those are used to enclose MySQL identifiers that use characters that are not normally allowed in identifier names. I suggest you always use them when you are using identifiers from unreliable sources, like PHP variables.


O, and I should probably also add the obligatory note about how outdated the old MySQL API functions are. I highly recommend you move on to using PDO or MySQLi instead. (The procedural version of MySQLi is not all that different from the MySQL API functions. I suggest you check those out first.)
Was This Post Helpful? 3
  • +
  • -

#3 c9-adams  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 98
  • Joined: 12-December 11

Re: Search

Posted 10 October 2012 - 06:06 AM

thankyou.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1