BryantA

Hi, I'm very new to PHP so I'm not sure if this is right but I'm trying to find out if the code below is safe from email injections. I intentionally left out the request for an email because it's not needed for my purpose but I'm not sure if I'm safe. Help please! This is the HTML <form method="post" action="contact.php"> Sugesstion:<br> <input type="text" name="message" rows="15" cols="40"> <input value="Submit" type="submit"> </form> This is the PHP <?php $to = "my-email@domain.com"; $subject = "Suggestion"; $message = $_REQUEST['message'] ; $sent = mail($to, $subject, $message) ; if($sent) {print "Your mail was sent successfully"; } else {print "We encountered an error sending your suggestion"; } ?>

OMG!!! It's fixed. I finally have a working search engine for my site. Now all I have to do is make it look pretty. @requinix My query was one of the issues. I had it named wrong. @PFMaBiSmAd Great observation. I didn't think that was an issue but it was. @smoseley Your revision allowed me to switch everything around how it should be. Thank you ya'll so much. Overall. You guys saved me sssoooooo much time you have no idea. One day when I learn PHP maybe I can return the favor...one day!

Hi, I'm a complete noob. What I'm trying to do is create a search engine for a website that retrieves links from pages that I've placed in a table in my database according to their designated keywords. But every time I enter a keyword into the search box this error comes up: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'OR keywords LIKE '%keyword%'' at line 1 Obviously there is something wrong with my MySQL database or table but I'm not sure what exactly it is though. I know I have my collation set to "utf8_unicode_ci" because I heard that that was the best to use. I don't know if that choice of collation is the issue. Do you have any suggestions as to why it might be saying this and what I can do to fix it? Please help.

Waynewex, Thank you for the advice. I added the wonderful line of code that you suggested by replacing it with that original line. And the great news is I'm no longer getting that "Warning: mysql_num_rows()..." error message. But now it's showing me this error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'OR keywords LIKE '%keyword%'' at line 1 I guess there might be something wrong with my MySQL database or table I'm not sure though. I know I have my collation set to "utf8_unicode_ci" because I heard that that was the best to use. Do you have any suggestions as to why it might be saying this and what I can do to fix it? Thank you so much for your help Side Note: I followed a YouTube video that gave instructions on how to code a search engine. That's where I got the code from. And as he was testing it when he was done it worked perfect for him. And all my original coding was exactly like his. I quadruple checked it!

Psycho, Thank you so much for the feedback. I thought I did use the PHP code feature for this post, I guess not . Sorry though, I'll make sure to preview my post next time. But I tried to use your revised code but when I copy and paste it into Dreamweaver it shows an error on line 30 that I can't figure out. I'm sure it works. I'm pretty sure it would've been much easier to read if I would've of used the tags, silly me! But here is my original code with the code tags : Thanks again. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Search Engine</title> </head> <body> <center> <h1>Search</h1> <form action='search.php' method='GET'> <input type='text' name='search' size='90' value='<?php echo $_GET['search']; ?>' /> <input type='submit' name='submit' value='Search' > </center> </form> <hr /> <?php $search = $_GET['search']; $terms = explode(" ", $search); $query = "SELECT * FROM search WHERE "; foreach ($terms as $each){ $i++; if ($i == i) $query .= "keywords LIKE '%$each%' "; else $query .= "OR keywords LIKE '%$each%' "; } // connect mysql_connect("localhost", "username", "password"); mysql_select_db("databasename"); $query = mysql_query($query) or die(mysql_error()); $numrows = mysql_num_rows($query); ***************************************** if ($numrows > 0) { while ($row = mysql_fetch_assoc($query)) { $id = $row['id']; $title = $row['title']; $description = $row['description']; $keywords = $row['keywords']; $url = $row['url']; echo "<h2><a href='$url'>$title</a></h2> $description<br /><br />"; } } else { echo "No results found for \"<b>$search</b>\""; //disconnect mysql_close(); } ?> </body> </html>

Hi, I'm very new to PHP and MySQL. But I'm pretty sure there's a simple solution to my problem because there usually is. What I'm trying to do is create a search engine for a website that retrieves links from pages that I've placed in a table in my database according to their designated keywords. But every time I enter a keyword into the search box this error comes up: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/xxxxxx/public_html/search.php on line 35 No results found for "keyword" I underlined line 35 with a row of asterisks. If you think you have an idea to what my problem is I would really, really would appreciate your help. Thank you! Here is the PHP code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Search Engine</title> </head> <body> <center> <h1>Search</h1> <form action='search.php' method='GET'> <input type='text' name='search' size='90' value='<?php echo $_GET['search']; ?>' /> <input type='submit' name='submit' value='Search' > </center> </form> <hr /> <?php $search = $_GET['search']; $terms = explode(" ", $search); $query = "SELECT * FROM search WHERE "; foreach ($terms as $each){ $i++; if ($i == i) $query .= "keywords LIKE '%$each%' "; else $query .= "OR keywords LIKE '%$each%' "; } // connect mysql_connect("localhost", "username", "password"); mysql_select_db("databasename"); $query = mysql_query($query); $numrows = mysql_num_rows($query); ************************************** if ($numrows > 0) { while ($row = mysql_fetch_assoc($query)) { $id = $row['id']; $title = $row['title']; $description = $row['description']; $keywords = $row['keywords']; $url = $row['url']; echo "<h2><a href='$url'>$title</a></h2> $description<br /><br />"; } } else { echo "No results found for \"<b>$search</b>\""; //disconnect mysql_close(); } ?> </body> </html>