How Can i Convert Below mysql script to mysqli or pdo?

Question

Anybody pls Convert My below php + mysql search script to php + mysqli or php + Pdo Statement... I don't Know How to do this... Pls help Me... Tnx In Advance...

my form script is

<html>
<head>
<title>search engine</title>
</head>
<body>
<form action = 'ss.php' method ='GET'>
<input type = "text"  name = "q">
<input type = "submit" name = "submit" value = "search"
</body>
</html>

And My Search Engine Script is

<?php 
$k = $_GET["q"];
$con = mysql_connect("localhost", "root", "");
mysql_select_db("x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;

    if ($i == 1 )
        $subi.= " title LIKE '%$each%' ";
    else
        $subi.= " AND title LIKE '%$each%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysql_query("$query");

$row_object = mysql_query("Select Found_Rows() as rowcount");
$row_object = mysql_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;
?>

Diplaying Results

<?php
if ($result>0)
{
    while ($row = mysql_fetch_array($qry)){
$title=$row['title']; 
$href=$row['href'];
$img=$row['img'];
echo "<div class=\"col-sm-4\"><div class=\"product-image-wrapper\"><div class=\"single-products\"><div class=\"productinfo text-center\"><img src=\"$img\" alt=\"$title\"><h5>$title</h5><a href=\"$href\" target=_blank </a></div></div></div></div>\n";
}  
}
else
{
    echo "Sorry No Items Found For " .$k;
}   
?>

have you done any research on this , even a simple google search ?, you will find lots of articles on this topic :) try "prevent mysql injection php" — Kanishka Panamaldeniya, Jul 10 '15 at 04:21

Raja · Accepted Answer · 2015-07-10T04:32:01.863

First of all avoid using mysql_* these functions are deprecated,
Your code is vulnrable to SQL Injection, Let say I am a user and if I put %';# in input then your query will return me all result regardless of what conditions you have applied to filter out results,

To avoid SQL Injection you should either sanitize all user inputs using mysqli_real_escape_string before putting it in your query or use PDO Prepared Statements

UPDATE

$k = $_GET["q"];
$con = mysql_connect("localhost", "root", "");
mysql_select_db("x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;
    $escapedSearchString = mysql_real_escape_string($each);
    if ($i == 1 )
        $subi.= " title LIKE '%$escapedSearchString%' ";
    else
        $subi.= " AND title LIKE '%$escapedSearchString%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysql_query("$query");

$row_object = mysql_query("Select Found_Rows() as rowcount");
$row_object = mysql_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;

Using mysqli_*

$k = $_GET["q"];
$con = mysqli_connect("localhost", "root", "");
mysqli_select_db($con,"x");
$terms=explode(" ",$k);
$i=0;
$set_limit = ("9");
$subi = "";
foreach ($terms as $each) 

{
    $i++;
    $escapedSearchString = mysqli_real_escape_string($con,$each);
    if ($i == 1 )
        $subi.= " title LIKE '%$escapedSearchString%' ";
    else
        $subi.= " AND title LIKE '%$escapedSearchString%' ";

    } 
$query = "select SQL_CALC_FOUND_ROWS * from table WHERE $subi order by   rand() limit $set_limit";

$qry = mysqli_query($con,"$query");

$row_object = mysqli_query($con,"Select Found_Rows() as rowcount");
$row_object = mysqli_fetch_object($row_object);
$actual_row_count = $row_object->rowcount;
$result = $actual_row_count;

@Subi, Yes at least from SQL Injection, SQL Injection can no longer be a threat if you sanitize all user inputs. Better approach would be using `PDO Prepared Statement` — Raja, Jul 10 '15 at 04:34
sir i'm a mechanical engineer... so i don't hav more programing language... thats y i'm asking very silly questions... sry sir... anyway tnk u sooo much sir... — Subi, Jul 10 '15 at 04:36
Also, you should not edit your original question, instead update it with additional queries — Raja, Jul 10 '15 at 04:38
it shows error while displaying results at this line while " ($row = mysql_fetch_array($qry)){ " — Subi, Jul 10 '15 at 09:35
mysql_fetch_array wont work if you are using mysqli_* change all your mysql_* to mysqli_* like It is done in above code snippet — Raja, Jul 10 '15 at 10:02

How Can i Convert Below mysql script to mysqli or pdo?

1 Answers1