Tariq Ismail Dalvi wrote:
Hello Chris,

I am inserting complete script for you to have a look at and was using
$s = $pages

 // Get the search variable from URL

 $var = @$_GET['q'] ;
 $trimmed = trim($var); //trim whitespace from the stored variable

// rows to return

// check for an empty string and display a message.

if ($trimmed == "")
 echo "<p>Please enter a search...</p>";

// check for a search parameter
if (!isset($var))
 echo "<p>We dont seem to have a search parameter!</p>";

I'd change that to:

if (!isset($_GET['q'])) {
  echo "Search for something - or some other error message";

$search_term = trim($_GET['q']);

// Build SQL Query
$query = "select * from mytable where massage like '%".$trimmed."%' order by

You have sql injection here. You need to use mysql_real_escape_string:

$query = "select * from table where message like '%" . mysql_real_escape_string($search_term) . "%'";


// If we have no results, offer a google search as an alternative

if ($numrows == 0)

 echo "<h4>Results</h4>";
 echo "<p>Sorry, your search: &quot;" . $trimmed . "&quot; returned zero


You have an xss injection problem here. You need to use htmlentities or htmlspecialchars when you display user supplied input:

echo "Your search for &quot;" . htmlspecialchars($trimmed) . "&quot; returned no results";

// next determine if s has been passed to script, if not use 0
 if (empty($s)) {
// get results
 $query .= " limit $s,$limit";
 $result = mysql_query($query) or die("Couldn't execute query");

You're re-running your query - this time with a limit.

The first query should either be a 'COUNT' (so it doesn't actually retrieve all the results and return them it just does a count), or if this is a mysql specific query (and will only ever be), possibly use their special 'SQL_CALC_ROWS_FOUND' function (search http://dev.mysql.com for it).

If it's a count, the first part will be something like:
$query = "select count(message_id) AS message_count from table where message like '%" . mysql_real_escape_string($search_term) . "%'";
$results = mysql_query($query);
$row = mysql_fetch_assoc($results);
$messages_found = $row['message_count'];

Then run your actual search query with the limit so you only fetch 10 results.

// display what the person searched for
echo "<p>You searched for :<font color=blue size=+2> &quot;" . $var .

XSS issue here again.

From here, rewrite it so it's a little easier to follow (and please use variable names that make sense! $s and $q do not).

// work out pagination
// number_of_pages will be:
// $messages_found / $number_of_results_per_page

$number_of_pages = $messages_found / $number_of_results_per_page;

$current_page = 0;
if (isset($_GET['page'])) {
  $current_page = (int)$_GET['page'];

// if we're on page 0, don't show a prev link
// if it's less than 0, someone is trying to be nasty!
if ($current_page > 0) {
echo '<a href="' . $_SERVER['PHP_SELF'] . '?q=' . $search_term . '&page=' . ($current_page - 1) . '>Prev</a>';

// if we're not on the last page, show a next link
if ($current_page < $number_of_pages) {
  echo "Next link here";

Postgresql & php tutorials

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to