Jump to content

search box with select options

Dian

By Dian
in PHP Coding Help

Recommended Posts

Dian Newbie

Dian

Posted
Posted

help me,

 

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''%jateng%' WHERE (`kabupaten` LIKE '%demak%') OR (`kecamatan` LIKE ' at line 1"

<?php
    $query = $_GET['query'];
	$select = $_GET['select'];
    // gets value sent over search form
     
    $min_length = 3;
    // you can set minimum length of the query if you want
     
    if(strlen($query) >= $min_length){ // if query length is more or equal minimum length then
         
        $query = htmlspecialchars($query);
        // changes characters used in html to their equivalents, for example: < to >
         
        $query = mysql_real_escape_string($query);
        // makes sure nobody uses SQL injection
         
        $raw_results = mysql_query("SELECT * FROM '%".$select."%'
            WHERE (`kabupaten` LIKE '%".$query."%') OR (`kecamatan` LIKE '%".$query."%')") or die(mysql_error());
             
        // * means that it selects all fields, you can also write: `id`, `title`, `text`
        // articles is the name of our table
         
        // '%$query%' is what we're looking for, % means anything, for example if $query is Hello
        // it will match "hello", "Hello man", "gogohello", if you want exact match use `title`='$query'
        // or if you want to match just full word so "gogohello" is out use '% $query %' ...OR ... '$query %' ... OR ... '% $query'
         
        if(mysql_num_rows($raw_results) > 0){ // if one or more rows are returned do following
             
            while($results = mysql_fetch_array($raw_results)){
            // $results = mysql_fetch_array($raw_results) puts data from database into array, while it's valid it does the loop
             
                echo 
					"<tr><td>".$results['provinsi']."</td>"
					."<td>".$results['kabupaten']."</td>"
					."<td>".$results['kecamatan']."</td>"
					."<td>".$results['desa']."</td>"
					."<td>".$results['kodepos']."</tr>";
                // posts results gotten from database(title and text) you can also show id ($results['id'])
            }
             
        }
        else{ // if there is no matching rows do following
            echo "No results";
        }
         
    }
    else{ // if query length is less than minimum
        echo "Minimum length is ".$min_length;
    }
?>
Link to comment
https://forums.phpfreaks.com/topic/295183-search-box-with-select-options/
Share on other sites
fastsol Regular Member

fastsol

Posted
Posted

This

'%".$select."%'

Should be this

`".$select."`

But you also need to use mysql_real_escape_string on the $_GET['select'] too.  Plus you should really start converting this to PDO instead, mysql functions are highly outdated and will be removed in upcoming php versions.

mac_gyver Prolific Member

mac_gyver

Posted
Posted

if you are dynamically supplying the table name from user input, you must validate that it is exactly and only a permitted table name.

 

no amount of escaping the table name, as through it is a piece of string data (it's not) will prevent sql injection in it, since it's not in the query in between single-quotes that you are trying to prevent it from escaping out of.

 

supplying a dynamic table name also implies that you have created a bunch of different tables, one for each different $select value,  where as you should have one table with a column that holds the $select value.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.