Search is showing all the products

Question

Hello when i am searching a product from its keywords that i inserted in MYSQL all the products are appearing please help me this is the code of the search i corrected as in the comments but it is till not working

This is my whole results page

<!DOCTYPE html>
<?php
include ("functions/functions.php");
?>
<html>
<head>
<title>eRiviera</title>
<meta charset='utf-8'>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="styles/style.css" media="all"/>
<script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"></script>
<script src="js/menubarscript.js"></script>
</head>
<body>
<div class="main_wrapper">
<ul class="btn-circles">
  <li><a href="#" class="round green">Login<span class="round">That is, if you already have an account.</span></a></li>
  <li><a href="#" class="round red">Sign Up<span class="round">But only if you really, really want to.</span></a></li>
</ul> 
        
<!--Header starts here-->
     <div class="header_wrapper">
  <!--Logo-->
 <img id="logo" src="http://localhost/ecommerce/images/logo.png" width="500px"  height="300px" alt="Logo" />
 <!--Logo-->
 </div>
<!--Header ends here-->


<!--Menu bar starts here-->
<div id='cssmenu'>
<ul>
   <li class='active'><a href='index.php'>Home</a></li>
   <li><a  href='#'>Products</a></li>
   <li><a  href='#'>About</a></li>
   <li><a  href='#'>Contact</a></li>
   <p style="float:right; margin-right:140px; margin-top:21px; color:red;">Welcome Guest!</p>
  <li><a id="shopping_cart" style="margin:14px 0 0 0;left:750px; color:blue; font-size:12px;" href="cart.php">Shopping Cart</a></li> 
 </ul>
   </div>

<form class="form-wrapper cf">
        <input type="text" name="user_query" placeholder="Search here..." required>
  <form method="get" action="results.php" enctype="multipart/form-data">
        <button type="submit" name="search" value="Search">Search</button>
    </form>   
<ul id="cats">
<?php getCats(); ?>
</ul>

 <!--Menu bar ends here-->
 
 <!--Content wrapper starts here-->
 <div class="content_wrapper">
 <div id="content_area">
 <div id="products_box">
 <?php
   if(isset$_GET['search'])) {

        $search_query = $_GET['user_query'];
        $get_pro = "select * from products where product_keywords like '%$search_query%'";

        $run_pro = mysqli_query($con, $get_pro);

        while($row_pro = mysqli_fetch_array($run_pro)) {

            $pro_id = $row_pro['product_id'];    
            $pro_cat = $row_pro['product_cat'];    
            $pro_brand = $row_pro['product_brand'];    
            $pro_title = $row_pro ['product_title'] ;    
            $pro_price = $row_pro['product_price'];    
            $pro_image = $row_pro['product_image'];

            echo "
              <div id='single_product'>    
                <h3 id='product_title'>$pro_title</h3>    
                  <img src='admin_area/product_images/$pro_image' width='180' height='200' />   
                  <p><b> $ $pro_price <b></p>   
                  <a id='details-button' href='details.php?pro_id=$pro_id'>Details</a>   
                  <a href='index.php?pro_id=$pro_id'><button class='button'>Add to Cart</button></a>   
              </div>
            ";

        }

    }

?>
  ?>
 </div>
 </div>
 </div>
 <!--Content wrapper ends here-->
 
 
    <div id="footer">
 <h5 style="text-align:center; padding-top:30px;">&copy;2014 eRiviera All Rights Reserved</h5>
 </div>
<!--Main wrapper ends here-->


</body>
</html>

This script is completely vulnerable to sql injection. Don't release this onto the Internet. Furthermore the script has a syntax error. — Charlie Dalsass, Dec 13 '14 at 12:33
Nice SQL injection. What happens if I pass `x'; DROP DATABASE; --` as `user_query` ? — nvoigt, Dec 13 '14 at 12:34
You get all results back because your variable `$search_query` is empty, so if you would dump your query, you would see `... product_keywords like '%%'`. — Glavić, Dec 13 '14 at 12:35

score 0 · Answer 1 · edited May 23 '17 at 10:26

Your form is not properly structured - the "user_query" field is outside of the form so $_GET['user_query'] would never be set. Try changing this:

<form class="form-wrapper cf">
    <input type="text" name="user_query" placeholder="Search here..." required>
  <form method="get" action="results.php" enctype="multipart/form-data">
    <button type="submit" name="search" value="Search">Search</button>
</form>

To something like this:

<div class="form-wrapper cf">
    <form method="get" action="results.php" enctype="multipart/form-data">
        <input type="text" name="user_query" placeholder="Search here..." required>
        <button type="submit" name="search" value="Search">Search</button>
    </form> 
</div>

Also, as several others have noted, this is susceptible to SQL injection. This post discusses a scenario very similar to yours: How can I prevent SQL injection in PHP?

I strongly suggest you run your generated code through a validation service in order to catch errors in your html. Be sure to use the generated html (copy from "view source" in browser), not just the code from your php file because the validator won't understand the PHP. The WWW Consortium has a good tool: http://validator.w3.org/#validate_by_input

Search is showing all the products

1 Answers1

Linked

Related