Searching MySQL with PHP

Question

I am doing a project where I want a person to enter the name of any artist/band into a text box where it will seach my mysql database for the event information and display the results/content on another page. The code below is within my index.php where it should get the information from search.php (below also). I've looked all over and I'm not sure why it's not working and I can't figure out what to do. Help would be great! (I really need to pass this class!) :)

(index.php)

<form name="search" action="search.php" method="get">
    <div align="center"><input type="text" name="q" />
    <p><input type="submit" name="Submit" value="Search" /></p>
</form>

(search.php)

<?php

//Get the search variable from URL

$var=@&_GET['q'];
$trimmed=trim($var); //trim whitespace from the stored variable

//rows to return
$limit=10;

//check for an empty string and display a message.
if($trimmed=="")
    {
    echo"<p>Please enter a name.</p>";
    exit;
    }

//check for a search parameter
if(!isset($var))
    {
    echo"<p>We don't seem to have a search parameter!</p>";
    exit;
    }

//connect to database
mysql_connect("localhost","root","password");

//specify database
mysql_select_db("itour") or die("Unable to select database");

//Build SQL Query
$query = "select * from events where artist_name like \"%trimmed%\" order by date";

$numresults=mysql_query($query);
$numrows=mysql_num_rows(numresults);

//If no results, offer a google search as an alternative

if ($numrows==0)
    {
    echo"<h3>Results</h3>";
    echo"<p>Sorry, your search: &quot;" .$trimmed . "&quot; returned zero results</p>";

    //google
    echo"<p><a href=\"http://www.google.com/search?q=".$trimmed . "\" target=\"_blank\" title=\"Look up ".$trimmed ." on Google\">
    Click here</a> to try the search on google</p>";
    }

//next determine if s has been passed to script, if not use 0
if(empty($s)) {
    $s=0;
    }

//get results
$query .=" limit $s,$limit";
$result = mysql_query($query) or die("Couldn't execute query");

//display what was searched for
echo"<p>You searched for: &quot;" .$var . "&quot;</p>";

//begin to show results set
echo "Results";
$count = 1 + $s;

//able to display the results returned
while ($row=mysql_fetch_array($result)) {
$title = $row["artist_name"];

echo"$count.)&nbsp;$title";
$count++;
}

$currPage = (($s/$limit) + 1;

echo"<br  />";

//links to other results
if ($s>=1){
    //bypass PREV link if s is 0
    $prevs=($s-$limit);
    print"&nbsp;<a href=\"$PHP_SELF?s=$prevs&q=$var\">&lt;&lt;
    Prev 10</a>&nbsp;&nbsp;";
}

//calculate number of pages needing links
$pages = intval($numrows/$limit);

//$pages now contains int of pages needed unless there is a remainder from diviison

if($numrows%$limit){
//has remainder so add one page
$pages++;
}

//check to see if last page
if (!((($s+$limit)/$limit)==$pages) && $pages!=1){

//not last page so give NEXT link
$news = $s+$limit;

echo "&nbsp;<a href=\"$PHP_SELF?s=$news&q=$var\">Next 10 &gt;&gt;</a>";
}

$a = $s +($limit);
if($a > $numrows){$a = $numrows;}
$b = $s + 1;
echo "<p>Showing results $b to $a of $numrows</p>";

?>

for some reason this didn't show up... (index.php) <form name="search" action="search.php" method="get"> <div align="center"><input type="text" name="q" /> <p><input type="submit" name="Submit" value="Search" /></p></div> </form> — Holly
– Holly, Commented May 5, 2009 at 19:06
Please edit this so that the code looks like code: use the little 1010 button above your edit box and indent 4 spaces. — PTBNL
– PTBNL, Commented May 5, 2009 at 19:13
Connecting to database as root, huge SQL injection vulnerability, delicious. — Chad Birch
– Chad Birch, Commented May 5, 2009 at 19:16
@Chad If this is for an undergraduate class or something, I doubt security is the main concern. — Zack Marrapese
– Zack Marrapese, Commented May 5, 2009 at 19:26

Zack Marrapese · Accepted Answer · 2009-05-05 19:11:37Z

2

Your where clause is goofy...try changing it to:

WHERE artist_name like '%$trimmed%'

just putting trimmed will be interpreted literally as the string "trimmed". However, using the variable $trimmed in your double-quoted string will give the actual variable's value.

answered May 5, 2009 at 19:11

Zack Marrapese

12.1k9 gold badges54 silver badges70 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Stefano D · Accepted Answer · 2009-05-05 19:36:19Z

1

$query = "select * from events where artist_name like '%$trimmed%' order by date";

answered May 5, 2009 at 19:36

Stefano D

9585 silver badges17 bronze badges

Comments

Ayman Hourieh · Accepted Answer · 2009-05-05 19:45:25Z

1

In order to use the variable $trimmed in a query, escape it first. Otherwise, your script will be vulnerable to SQL injection attacks, and attackers will be able to run almost any query against your database. This problem is exacerbated by the fact that you are connecting to MySQL as root. Never ever do this in a production environment.

Also, to expand a variable in a string, you should include the $ character before the variable name.

$trimmed = trim($var);
$escaped = mysql_real_escape_string($trimmed);
$query = "select * from events where artist_name like \"%$escaped%\" order by date";

answered May 5, 2009 at 19:45

Ayman Hourieh

139k23 gold badges149 silver badges116 bronze badges

Comments

Community · Accepted Answer · 2023-11-14 22:24:31Z

Your code still looks all over the place. I think the main reason it wasn't working was the mixing of " and '. You need to escape variables before you use them in your queue. mysql_real_escape_string is the lowest form of escaping you should be using. I'd recommend you have a look at PDO though.

<?php

//Get the search variable from URL

$var = $_GET['q'];
$trimmed = mysql_real_escape_string(trim($var)); //trim whitespace and escape the stored variable

//rows to return
$limit = 10;

//check for an empty string and display a message.
if($trimmed == "") {
    echo"<p>Please enter a name.</p>";
    exit;
}

//check for a search parameter
if(!isset($var)){
    echo"<p>We don't seem to have a search parameter!</p>";
    exit;
}

//connect to database
mysql_connect("localhost","root","password");

//specify database
mysql_select_db("itour") or die("Unable to select database");

//Build SQL Query
$query = "SELECT * FROM events WHERE artist_name LIKE %$trimmed% ORDER BY DATE";

$numresults = mysql_query($query);
$numrows = mysql_num_rows(numresults);

//If no results, offer a google search as an alternative

if ($numrows==0){
    echo"<h3>Results</h3>";
    echo"<p>Sorry, your search: &quot;" .$trimmed . "&quot; returned zero results</p>";

    //google
    echo"<p><a href=\"http://www.google.com/search?q=".$trimmed . "\" target=\"_blank"\ title=\"Look up ".$trimmed ." on Google\">
    Click here</a> to try the search on google</p>";
 }

//next determine if s has been passed to script, if not use 0
if(empty($s)) {
    $s=0;
}

//get results
$query .=" limit $s,$limit";
$result = mysql_query($query) or die("Couldn't execute query");

//display what was searched for
echo"<p>You searched for: &quot;" .$var . "&quot;</p>";

//begin to show results set
echo "Results";
$count = 1 + $s;

//able to display the results returned
while ($row = mysql_fetch_array($result)) {
    $title = $row['artist_name'];

    echo $count.'&nbsp;'.$title;
    $count++;
}

$currPage = (($s/$limit) + 1;

echo "<br>";

//links to other results
if ($s>=1){
    //bypass PREV link if s is 0
    $prevs=($s-$limit);
    echo '&nbsp;<a href="'.$PHP_SELF.'?s='.$prevs.'&q='.$var.'">&lt;&lt';
    echo 'Prev 10</a>&nbsp;&nbsp;';
}

//calculate number of pages needing links
$pages = intval($numrows/$limit);

//$pages now contains int of pages needed unless there is a remainder from diviison

if($numrows%$limit){
    //has remainder so add one page
    $pages++;
}

//check to see if last page
if (!((($s+$limit)/$limit)==$pages) && $pages!=1){

//not last page so give NEXT link
$news=$s+$limit;

echo '&nbsp;<a href="'.$PHP_SELF.'?s='.$news.'&q='.$var.'">Next 10 &gt;&gt;</a>';
}

$a = $s +($limit);
if($a > $numrows){$a = $numrows;}
$b = $s + 1;
echo '<p>Showing results '.$b.' to '.$a.' of '.$numrows.'</p>';

?>

Tom Haigh · Accepted Answer · 2009-05-06 08:14:07Z

0

You are missing a $ symbol. I think

$var=@&_GET['q'];

should probably be

$var=@$_GET['q'];

unless you really want a reference, in which case it should be this: (the error suppression is not needed at this point if you want a reference, but you should check $var is set before trying to access it)

$var=& $_GET['q'];

I would be tempted to write it a bit more like this.

if (!isset($_GET['q'])) {
    echo"<p>We don't seem to have a search parameter!</p>";
    exit;
}

$trimmed = trim($_GET['q']);

if($trimmed=="") {
    echo"<p>Please enter a name.</p>";
    exit;
}

edited May 6, 2009 at 8:14

answered May 5, 2009 at 23:11

Tom Haigh

57.8k21 gold badges119 silver badges143 bronze badges

Comments

Community · Accepted Answer · 2023-11-20 22:45:59Z

0

Also as Chad mentioned, an sql injection would be simple since you arent cleaning input before performing DB actions with it.

try adding

 foreach($_REQUEST as $param => $value)
{
   $_REQUEST[$param]=mysql_real_escape_string($value);
}

This way you escape all the user input so the user cant tamper with the db. Read more about this method and sql injection in the docs here: https://www.php.net/mysql_real_escape_string

edited Nov 20, 2023 at 22:45

CommunityBot

11 silver badge

answered May 5, 2009 at 19:41

desertmonad

4195 silver badges15 bronze badges

Collectives™ on Stack Overflow

Searching MySQL with PHP

6 Answers 6

Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

Comments

Comments

Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Linked

Related