anon191 Posted May 1, 2009 Share Posted May 1, 2009 Hiya guys, I'm really quite new to PHP so don't come down too heavy on the simplicity of my question please! I've created a php search page for a website I'm building, with an SQL back-end. The search page needs to pull an image URL from the database and then display it with each search result, similar to any E-commerce site. This is the code im using to try and display the image but I don't know where I'm going wrong! Any help would be appreciated! $search = $_GET['search']; $sql = "SELECT * FROM Prints WHERE name ='$search' "; $rs=mysql_query($sql,$conn); while ($row=mysql_fetch_array($rs)) { echo($row["name"]); echo(".."); echo($row["artist"]); echo(".."); echo($row["price"]); echo(".."); echo<img src='URL'>); } ?> Quote Link to comment Share on other sites More sharing options...
ignace Posted May 1, 2009 Share Posted May 1, 2009 1) use the proper code tags when posting code 2) Read up on SQL Injection as you are vulnerable http://en.wikipedia.org/wiki/SQL_injection <?php $search = htmlentities($_GET['search']); $query = sprintf("SELECT * FROM prints WHERE id = '%s' OR name LIKE '%%%s%%' OR manufacturer LIKE '%%%s%%'", $search, $search, $search); $queryResult = mysql_query($query); while ($row = mysql_fetch_assoc($queryResult)) { echo searchResult($row); } function searchResult($row) { ..html markup code for a search result.. } ?> Quote Link to comment Share on other sites More sharing options...
anon191 Posted May 1, 2009 Author Share Posted May 1, 2009 Hey, thankyou for the advice, I'll give that a read I've given the code you suggested a try, but I get nothing but a blank page :S I'm a bit lost with what you've written so I haven't been able to modify it. All the search needs to do is accept a search term from 'search' and find the name in table 'Prints' and display the relevant data with an image stored in that table using it's URL. Thankyou for the help! Quote Link to comment Share on other sites More sharing options...
ignace Posted May 1, 2009 Share Posted May 1, 2009 Then only use the name LIKE '%%%s%%' part htmlentities is a security measure against sql injection mysql_real_escape_string() is even better but i don't use mysql as a database, the next line in the code is a formatted string or if you use mysqli a prepared statement the double %% represent a % and %s represents a string which means that whatever is passed is converted to a string read up on sprintf() on php.net http://be.php.net/sprintf The function searchResult() is only to make your code more clearer and more easy to read it does this by encapsulating your html code inside a function which gets the required information passed along. This way you can more easily use it again somewhere else in your application. Quote Link to comment Share on other sites More sharing options...
anon191 Posted May 1, 2009 Author Share Posted May 1, 2009 This is the code I'm using, but I'm still getting the same result? $search = htmlentities($_GET['search']); $query = sprintf("SELECT * FROM prints WHERE name LIKE '%%%s%%'", $search, $search, $search); $queryResult = mysql_query($query); while ($row = mysql_fetch_assoc($queryResult)) { echo searchResult($row); } function searchResult($row) { echo($row["name"]); echo(".."); echo($row["artist"]); echo(".."); echo($row["price"]); echo(".."); <img src='URL'>; } ?> Quote Link to comment Share on other sites More sharing options...
anon191 Posted May 1, 2009 Author Share Posted May 1, 2009 Any ideas please guys? Quote Link to comment Share on other sites More sharing options...
the182guy Posted May 1, 2009 Share Posted May 1, 2009 Look at the image tag: <img src='URL'> That won't work, you need to pass a location to an image for it to display. Use error_reporting(E_ALL) to ensure you see any errors because a blank screen often means there is an error. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.