Basic question: Search Help

[bugzy]

Beginner's question guys.

 

I'm about to do a search function now.

 

I was thinking  like this..

 

 

From an html form with a method get..

 

Let's say: textbox_search = 200

 

URL: www.mywebsite.com.php?id=200

 

<?php

if(isset($_GET['search']))
{

$query = "Select * from student where id = '{$_GET['id']}'";

$result = mysql_query = ($query,$connection) or die (mysql_error());

}
else
{
$query = "Select * from student";

$result = mysql_query = ($query,$connection) or die (mysql_error());

}




?>

 

 

 

Is this fine? or am I going to have an issue latter?

 

Confused if I'm going to use post or get

[Pikachu2000]

What do you think would happen if I changed the URL to http://www.I_hack_your_site.com/your_vulnerable_form_script.php?id=5%27%2BOR%2B%271%27+%3D+%271?

[bugzy]

What do you think would happen if I changed the URL to http://www.I_hack_your_site.com/your_vulnerable_form_script.php?id=5%27%2BOR%2B%271%27+%3D+%271?

 

Pikachu2000.. Not really mean what you're trying to imply there but I do have mysql_real_escape_string function that I'm using on every sql statement that I'm passing on the server.

 

I just didn't put it on the code above because it isn't part of my question and I just type the code directly here so you guys would  understand it better.

 

 

So it's better to just create a search landing page rather than directing the user to where he search it?

 

Because what I want is to search and show results on the same page..

 

 

[Pikachu2000]

When you post code, I have to assume it's the actual code you're using . . .

 

As far as using the same script both to search and display the results, there's nothing wrong with doing it that way.