jaykappy Posted July 11, 2013 Share Posted July 11, 2013 Very perplexed here...hopefully someone can shed some light on this. I have a page with a search text box on it...I want the user to enter some text and then click the search button and return records. I started with this.... 1. on the Main Page I can echo the value passed in the URL 2. I pass that value to the php page and do a very simple return..I can display that same value as in number 1 above. $searchvalue = $_GET['ItemValue']; echo $searchvalue; $searchs = get_results($searchvalue); echo ' Returning '.$searchs; Function get_results($searchvalue){ $searchs = trim($searchvalue); return $searchs; } I am now trying to use that value in a query to SELECT records...BUT I am not returning any $searchs = get_results($searchvalue); Function get_results($searchvalue){ $searchvalue = mysql_real_escape_string(htmlentities($searchvalue)); $searchs = array(); $search_query = mysql_query("SELECT `image_id`, `album_id`, `timestamp`, `ext`, `description`, `name` FROM `images` WHERE `description`=$searchvalue ORDER BY `description`"); While ($searchs_row = mysql_fetch_assoc($search_query)){ $searchs[] = array( 'id' => $searchs_row['image_id'], 'album' => $searchs_row['album_id'], 'timestamp' => $searchs_row['timestamp'], 'ext' => $searchs_row['ext'], 'desc' => $searchs_row['description'], 'imagename' => $searchs_row['name'] ); } return $searchs; } Back in the main page...I always get 'There are no images' when I check for empty <?php if (empty($searchs)){ echo 'There are no images'; }else{ foreach ($searchs as $search){ //echo 'hi'; ?> FURTHER MORE: If I hard code the above SELECT statement as such it works FINE.... $search_query = mysql_query("SELECT `image_id`, `album_id`, `timestamp`, `ext`, `description`, `name` FROM `images` WHERE `description`='HICKORY_RIDGE_TOWNHOME' ORDER BY `description`"); is the syntax incorrect in the SELECT STATEMENT???? Thanks Quote Link to comment Share on other sites More sharing options...
requinix Posted July 11, 2013 Share Posted July 11, 2013 is the syntax incorrect in the SELECT STATEMENT????It's missing quotes around the search value. Quote Link to comment Share on other sites More sharing options...
jaykappy Posted July 11, 2013 Author Share Posted July 11, 2013 Alright that seems to be working but only for straight forward values in the description field... But I also have values like: example: Hiller Addition Street & Utility (with 84-07) Think its breaking cause of the & and the () How can i remedy that? Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted July 11, 2013 Share Posted July 11, 2013 Well, unless you htmlenties() when you inserted the data, you don't want to do it in the select query. Also, are you looking for exact matches to $searchvalue, or is this a search for similar values? Quote Link to comment Share on other sites More sharing options...
jaykappy Posted July 11, 2013 Author Share Posted July 11, 2013 I did this and it seems to be working....I wanted a LIKE anyways $search_query = mysql_query("SELECT `image_id`, `album_id`, `timestamp`, `ext`, `description`, `name` FROM `images` WHERE `description` LIKE '%$searchvalue%' ORDER BY `description`"); Quote Link to comment Share on other sites More sharing options...
jaykappy Posted July 11, 2013 Author Share Posted July 11, 2013 This is what I am doing when uploading the images to my web server... How would I add html-entities Function upload_image($image_temp, $image_ext, $album_id, $image_desc, $imagename){ $album_id = (int)$album_id; mysql_query("INSERT INTO images (user_id, album_id, timestamp, ext, description, name) VALUES ('".$_SESSION['user_id']."', '$album_id', UNIX_TIMESTAMP(), '$image_ext', '$image_desc', '$imagename')"); $image_id = mysql_insert_id(); $image_file = $image_id.'.'.$image_ext; move_uploaded_file($image_temp, 'uploads/'.$album_id.'/'.$image_file); } Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted July 11, 2013 Share Posted July 11, 2013 I wouldn't. I only asked because you are doing it in your select query. Remove it from your code. If you have this in the db: Hiller Addition Street & Utility (with 84-07) Your current select query is looking for: Hiller Addition Street & Utility (with 84-07) Quote Link to comment Share on other sites More sharing options...
jaykappy Posted July 11, 2013 Author Share Posted July 11, 2013 (edited) Thank you for your timely responses...and your help of course... Cheers.... Just confused when I wan to use htmlentities to block SQL injections etc...still learning here. Edited July 11, 2013 by jaykappy Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted July 11, 2013 Share Posted July 11, 2013 htmlentities() is used when you display data and don't want it treated as HTML. mysql_real_escape_string() will help with SQL injections. Quote Link to comment Share on other sites More sharing options...
jaykappy Posted July 12, 2013 Author Share Posted July 12, 2013 So i assume that this should suffice right? Thanks again for your help... sort of sanitizing the string? $searchvalue = mysql_real_escape_string(trim($searchvalue)); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.