Real estate search engine

[regoch]

This is my search form code

  <tr>
    <td align="center"><select name="nekretnina_cijena_ukupno" id="nekretnina_cijena_ukupno"  >
<option value="" selected> Price</option>	
<option value="75000">to 75.000,00 EUR</option>
<option value="100000">to 100.000,00 EUR</option>
<option value="150000">to 150.000,00 EUR</option>
<option value="200000">to 200.000,00 EUR</option>
<option value="200000000">over 200.000,00 EUR</option>
</select></td>
  </tr>
  <tr>
    <td height="15"></td>
  </tr>
  <tr>
    <td align="center"><select name="nekretnina_povrsina" id="nekretnina_povrsina" >
<option value="" selected> Size</option>	
<option value="BETWEEN 0 AND 100">to 100 m2</option>
<option value="BETWEEN 101 AND 300">from 100 to 300 m2</option>
<option value="BETWEEN 301 AND 500">from 300 to 500 m2</option>
<option value="BETWEEN 501 AND 10000000">over 500 m2</option>
</select></td>
  </tr>

And my php code

$nekretnina_cijena_ukupno=$_POST['nekretnina_cijena_ukupno'];
$nekretnina_povrsina=$_POST['nekretnina_povrsina']; 
$rezultat=mysql_query("SELECT * FROM nekretnine_ponuda WHERE nekretnina_cijena_ukupno <= $nekretnina_cijena_ukupno AND nekretnina_povrsina $nekretnina_povrsina ORDER BY nekretnina_id DESC");

I'm not very good at php so I do a little trick "<option value="200000000">over 200.000,00 EUR</option>" to show over 200.000,00 , supose that do not have real estate over 200.000.000,00 to sale, but ease add more zero and "<option value="BETWEEN 501 AND 10000000">over 500 m2</option>" to show over 500m2 , supose that do not have realestate over 10000000 m2 to sale. Now that is working fine, but if there any nice or professional way to do that query?

[mikesta707]

Your query seems ok-ish to me, though someone could use javascript to change the values of your checkboxes to inject mysql. This would probably break your script at the least, and is a vulnerability. You say it works? As far as nicer or more professional way instead of what you do: You could change the values of the options to being something like "0-100" (for the "To 100 m2" option), and use that dash as the delimiter to explode the string. so for example

 

$range = $_POST['nekretnina_povrsina'];//lets pretend this is 0-100 for the example
//now we can split it via explode
$pieces = explode('-', $range);//now we have an array that should have pieces[0]=0 and pieces[1]=100
//however, we cant guarantee that the input will always be valid and safe. so lets sanitize it

//first we need to make sure that the length of our array is exactly 2
//this will show us that at least the value is of the format xxx-xxx, where xxx is something (hopefully a number)
//we will use the count function to do this
if (count($pieces) == 2){
//now we need to make sure the pieces are valid. to do this we will convert the values into integers
//by using the inval function
$low = intval($pieces[0]);
$high = intval($pieces[1]);


//now we can construct out query
$query = "SELECT * FROM nekretnine_ponuda WHERE nekretnina_cijena_ukupno <= $nekretnina_cijena_ukupno AND nekretnina_povrsina BETWEEN $low AND $high  ORDER BY nekretnina_id DESC";
//and lets perform our query
$result = mysql_query($query);
//do the rest
} else {
//if we are here, it means that the $_POST data was invalid or tampered with some how
//we should handle the error gracefully. however you handle errors

 

Don't forget to change the values of the options. For example, the first one would go from

<option value="BETWEEN 0 AND 100">to 100 m2</option>

to

<option value="0-100">to 100 m2</option>

 

Hope this helps

[regoch]

Thanks very much! I will try it now!

[regoch]

working fine! thanks!