0

Possible Duplicate:
How to prevent SQL injection in PHP?

why isn't my search query not working if i run the query below on my search bar its returning no results, i have a table categories and from it i jut want to select the category_title and category_description then display it as my result,i have a technology category and its description but when i run the query below is showing that there are no results

<?php
$k     = $_GET['k'];
$terms = explode(" ", $k);
echo $terms;

foreach ($terms as $each) {
    $i = "";
    $i++;
    $query = "";
    if ($i == 1)

        $query .= "keywords like '%$each%'";
    else
        $query .= "OR keywords like '%$each%'";
}

$connect = mysql_connect("localhost", "root", "limo");
if (!$connect) {
    die(mysql_error());
}
//Selecting database
$select_db = mysql_select_db("forumShh", $connect);
if (!$select_db) {
    die(mysql_error());
}
$query   = mysql_query($query);
$numrows = mysql_num_rows($query);

if ($numrows > 0) {
    while ($row = mysql_fetch_assoc($query)) {
        $id          = $row['id'];
        $title       = $row['category_title'];
        $description = $row['category_description'];
        echo "<a href='view_category.php?cid=" . $id . "' class='cat_links'>" . $title . " - <font size='-1'>" . $description . "</font></a>";
    }

} else
    echo "No results found for \"<b>$k</b>\"";
?>
Community
  • 1
  • 1
theuserkaps
  • 300
  • 2
  • 6
  • 15
  • Are your `title` and `description` declared as `varchar` or `text`? Do you have `fulltext` keys declared for them? – Mihai Stancu Dec 27 '12 at 23:39
  • I think that this question has no any duplicate, It is not asking about injection, it is just meant by the results don't be returned! – SaidbakR Dec 27 '12 at 23:40
  • While @hakre means well, the "possible duplicate" is more confusing than it is clear. This is not a question asking about how to avoid injection, this is a question about why the code not works that suffers from severy security risks, and is specifically vulnerable SQL Injection attacks. Reporting it as a duplicate will only confuse the users though. – Konerak Dec 27 '12 at 23:53
  • The code is technically not working. It is more than easy to imagine input value that break it immediately. Therefore asking why it does not work should be most straight forward answered with a suggestion to close as ***not constructive*** - because obviously it does not work. Suggesting the duplicate however is a little more helpful as providing a quick reference to outline the general problem. Even while the suggested duplicate is not an *identical* question. – hakre Dec 27 '12 at 23:55
  • @hakre that's a very contorted approach. – Mihai Stancu Dec 28 '12 at 12:06

1 Answers1

0

If your table structure contains a title and a description then why are you using the LIKE operator on a column named keywords?

You should have a final SQL query looking like this:

SELECT    *
    FROM  categories
    WHERE (`title` LIKE '%$keyword_1%' OR `description` LIKE '%$keyword_1%')
    OR    (`title` LIKE '%$keyword_2%' OR `description` LIKE '%$keyword_2%')
    OR    (`title` LIKE '%$keyword_3%' OR `description` LIKE '%$keyword_3%');

Yours will probably look like this:

SELECT    *
    FROM  categories
    WHERE `keywords` LIKE '%$keyword_1%'
    OR    `keywords` LIKE '%$keyword_2%'
    OR    `keywords` LIKE '%$keyword_3%';

And if there's no column named keywords in your table, the query will fail with an error.

Mihai Stancu
  • 15,848
  • 2
  • 33
  • 51
  • You really shouldn't answer a question like that without warning about SQL injection... – Konerak Dec 27 '12 at 23:51
  • Should look into PDO for your DB connections as many of the escapes and such are handled internally through the PDO Object. – Cameeob2003 Dec 28 '12 at 00:56
  • I make remarks about SQL injection vulnerabilities in my comments - unless others have already done so. In the answer I try to maintain the user's approach because it is easier for him to understand/relate to and it helps him with his problem by allowing him to test right away. – Mihai Stancu Dec 28 '12 at 12:05