0

Hello when i am searching a product from its keywords that i inserted in MYSQL all the products are appearing in the result, please help me this is the code of the search

if(isset($_GET['search'])) {

    $search_query = $_GET['user_query'];
    $get_pro = "select * from products where product_keywords like '%$search_query%'";

    $run_pro = mysqli_query($con, $get_pro);

    while($row_pro = mysqli_fetch_array($run_pro)) {

        $pro_id = $row_pro['product_id'];    
        $pro_cat = $row_pro['product_cat'];    
        $pro_brand = $row_pro['product_brand'];    
        $pro_title = $row_pro ['product_title'] ;    
        $pro_price = $row_pro['product_price'];    
        $pro_image = $row_pro['product_image'];

        echo "
          <div id='single_product'>    
            <h3 id='product_title'>$pro_title</h3>    
              <img src='admin_area/product_images/$pro_image' width='180' height='200' />   
              <p><b> $ $pro_price <b></p>   
              <a id='details-button' href='details.php?pro_id=$pro_id'>Details</a>   
              <a href='index.php?pro_id=$pro_id'><button class='button'>Add to Cart</button></a>   
          </div>
        "; 
    }
 }
Rizier123
  • 58,877
  • 16
  • 101
  • 156
Antonio Chelala
  • 23
  • 5
  • 1
    Btw you have there vulnerability to SQL injection, better prevent it with `$search_query = mysqli_real_escape_string($search_query);` – Tomáš Blatný Dec 13 '14 at 16:08
  • Have you verified that `$_GET['user_query']` is not an empty string, which would result in `where product_keywords like '%%'`, which would result in all rows matching. It could be simply `if(isset($_GET['search']) && trim($_GET['user_query']) != '') {` – Sean Dec 13 '14 at 16:10
  • Don't think the problem is in this code snippet. The other version of this post (["Search is showing all the products"](http://stackoverflow.com/questions/27458804/search-is-showing-all-the-products)) shows your html with the form improperly structured. – CragMonkey Dec 13 '14 at 16:37

0 Answers0