0

So I came across this issue after I transfered all my files to the server.

PROBLEM: So I have 10 items on my main page. 3 of them in description contains word "chair". When I am trying to search, lets say "chair" on my localhost, browser outputs 3 items out of 10 as it should be. But when I do the same on hosted server it outputs all 10 items but first listed with word "chair".

CODE OF search.php:

 $query = $_GET['query']; 
 $min_length = 3;
 $max_length = 300;


 if(strlen($query) >= $min_length)
    { 
    $query = htmlspecialchars($query); 
    $query = mysql_real_escape_string($query);  
    $result = mysqli_query($connecDB,"SELECT * FROM items WHERE title LIKE '%".$query."%' OR description LIKE '%".$query."%'");
    if(mysqli_num_rows($result) > 0)
     {
        $success = "Results for: $query"; 
        while($row = mysqli_fetch_array($result))
    {

                if (strlen($row['description']) > $max_length)
                {
                    $offset = ($max_length - 3) - strlen($row['description']);
                    $s = substr($row['description'], 0, strrpos($row['description'], ' ', $offset)) . '...';
                } else {
                    $s = $row['description'];
                }        

            $output = '
                <div class="box">
                <a href="items/'.$row['id'].'" class="items">
                <img src="uploads/thumbs/'.$row['cat_name'].'/'.$row['id'].'/'.$row['image_id'].'.'.$row['item_ext'].'" width="230" height="320">
                 <div class="art_frame_description">
                      <h3>'.$row['title'].'</h3>
                      <h2>'.$s.'</h2>
                     <h4>£'.$row['price'].'</h4>
                    </div>
                </a>
                </div>
                    ';
            echo($output);
        }

    }
    else{ 
        $message = "Nothing found for '".$query."'"; 
    }   
}
else{ 
    $message =  "Your searched word '".$query."' must be longer than ".$min_length. " characters";
}

Does anyone can spot what causes this problem?

EDITED: All sorted, this topic can be closed. Problem was caused by "$query = mysql_real_escape_string($query);" code.

AlwaysConfused
  • 729
  • 2
  • 12
  • 37
  • Maybe the database has different data? Try `SELECT COUNT(*) FROM items;` on both client and server. – Cully May 22 '14 at 22:55
  • Also, consider using data binding instead of just putting your search query directly into your SQL. At this point, you're vulnerable to SQL injection. – Cully May 22 '14 at 22:56
  • No,db has nothing to do with it as i exported from localhost phpmyadmin and imported into server..All data as it is..Its just an output which causes a problem, as all 10 items are displayed in the main page. – AlwaysConfused May 22 '14 at 23:00
  • Well thats why i used "mysql_real_escape_string" and "htmlspecialchars" – AlwaysConfused May 22 '14 at 23:01
  • `mysql_real_escape_string` does not protect against SQL injection, and is therefor deprecated. C.f. http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – Cully May 22 '14 at 23:07
  • Use MySQLi or PDO. MySQLi is as similar to the classic MySQL as possible. You should understand it. – transilvlad May 22 '14 at 23:11
  • Have you tried running your search queries manually, and seeing what comes up? – Cully May 22 '14 at 23:11
  • @tntu He is using mysqli – Cully May 22 '14 at 23:12
  • Oh. I just saw the mysql_real_escape string. – transilvlad May 22 '14 at 23:13
  • I am using Mysqli, but i had to chose "mysql_real_escape_string" because otherwise code was not working. @Cully Well, I had no idea that you can bypass with injection when you use mysql_real_escape_string. Anyway, security I will consider after I will finish functionality of my website. – AlwaysConfused May 22 '14 at 23:19
  • @Cully, I didnt try to search manually because it makes no sense as it perfeclty works on localhost – AlwaysConfused May 22 '14 at 23:21
  • @StuckBetweenTrees Part of debugging is getting rid of as many pieces as you can, trying to isolate the issue. Running the queries manually would be a good place to start, because if you get the same results, you know the issue is somewhere else. If you get different results, you know it's a database or query issue. – Cully May 22 '14 at 23:25
  • 1
    Also, don't use `htmlspecialchars` on your `$query` variable, before putting it into your SQL. `htmlspecialchars` is used for escaping something that may contain HTML, that you don't want output as HTML. The only reason you'd use it in your SQL is if your `title` or `description` had already escaped HTML in it, and you expect your search queries to also ahve HTML in them. – Cully May 22 '14 at 23:28
  • 1
    You might also try running this on both servers: `echo "
    SELECT * FROM items WHERE title LIKE '%".$query."%' OR description LIKE '%".$query."%'
    ";` Just to make sure the query is exactly the same on both servers.     – Cully May 22 '14 at 23:31
  • Basically try to think of any part of the program that could be going wrong, isolate that part, and make sure that exactly what you want is there. – Cully May 22 '14 at 23:32
  • Thanks for your support, Cully Larson, I will try to do that just right now – AlwaysConfused May 22 '14 at 23:38
  • Well,believet or not but the problem was in "$query = mysql_real_escape_string($query);".. Amazing.. I just echoed what selected db outputs after execution doing "echo $row", on localhost there was 3 arrays and on server 10, as soon as I remover "$query = mysql_real_escape_string($query);" on server appeared 3 arrays.. – AlwaysConfused May 22 '14 at 23:45
  • Did you also remove `htmlspecialchars`? I was suspicious that that may have been the issue. Anyway, make sure to use data binding :) – Cully May 23 '14 at 00:09
  • Yes I did, I will do my best to make it secure before I launch it for public. Thanks again for the help! – AlwaysConfused May 23 '14 at 00:26

0 Answers0