this question has answer here:
- how can prevent sql injection in php? 28 answers
anybody pls convert below php + mysql search script php + mysqli or php + pdo statement... don't know how this... pls me... tnx in advance...
my form script is
<html> <head> <title>search engine</title> </head> <body> <form action = 'ss.php' method ='get'> <input type = "text" name = "q"> <input type = "submit" name = "submit" value = "search" </body> </html> and search engine script
<?php $k = $_get["q"]; $con = mysql_connect("localhost", "root", ""); mysql_select_db("x"); $terms=explode(" ",$k); $i=0; $set_limit = ("9"); $subi = ""; foreach ($terms $each) { $i++; if ($i == 1 ) $subi.= " title '%$each%' "; else $subi.= " , title '%$each%' "; } $query = "select sql_calc_found_rows * table $subi order rand() limit $set_limit"; $qry = mysql_query("$query"); $row_object = mysql_query("select found_rows() rowcount"); $row_object = mysql_fetch_object($row_object); $actual_row_count = $row_object->rowcount; $result = $actual_row_count; ?> diplaying results
<?php if ($result>0) { while ($row = mysql_fetch_array($qry)){ $title=$row['title']; $href=$row['href']; $img=$row['img']; echo "<div class=\"col-sm-4\"><div class=\"product-image-wrapper\"><div class=\"single-products\"><div class=\"productinfo text-center\"><img src=\"$img\" alt=\"$title\"><h5>$title</h5><a href=\"$href\" target=_blank </a></div></div></div></div>\n"; } } else { echo "sorry no items found " .$k; } ?>
first of avoid using mysql_* these functions deprecated,
code vulnrable sql injection, let user , if put %';# in input query return me result regardless of conditions have applied filter out results,
to avoid sql injection should either sanitize user inputs using mysqli_real_escape_string before putting in query or use pdo prepared statements
update
$k = $_get["q"]; $con = mysql_connect("localhost", "root", ""); mysql_select_db("x"); $terms=explode(" ",$k); $i=0; $set_limit = ("9"); $subi = ""; foreach ($terms $each) { $i++; $escapedsearchstring = mysql_real_escape_string($each); if ($i == 1 ) $subi.= " title '%$escapedsearchstring%' "; else $subi.= " , title '%$escapedsearchstring%' "; } $query = "select sql_calc_found_rows * table $subi order rand() limit $set_limit"; $qry = mysql_query("$query"); $row_object = mysql_query("select found_rows() rowcount"); $row_object = mysql_fetch_object($row_object); $actual_row_count = $row_object->rowcount; $result = $actual_row_count; using mysqli_*
$k = $_get["q"]; $con = mysqli_connect("localhost", "root", ""); mysqli_select_db($con,"x"); $terms=explode(" ",$k); $i=0; $set_limit = ("9"); $subi = ""; foreach ($terms $each) { $i++; $escapedsearchstring = mysqli_real_escape_string($con,$each); if ($i == 1 ) $subi.= " title '%$escapedsearchstring%' "; else $subi.= " , title '%$escapedsearchstring%' "; } $query = "select sql_calc_found_rows * table $subi order rand() limit $set_limit"; $qry = mysqli_query($con,"$query"); $row_object = mysqli_query($con,"select found_rows() rowcount"); $row_object = mysqli_fetch_object($row_object); $actual_row_count = $row_object->rowcount; $result = $actual_row_count; 
Comments
Post a Comment