Highlight search keyword in PHP does not highlight correctly

Question

I am trying to highlight my search result in PHP search but it highlights undesiraby

I use the code below

//connection to db
define('DB_HOST', 'localhost');
define('DB_NAME', 'dbname');
define('DB_USERNAME','root');
define('DB_PASSWORD','');

$con = mysqli_connect(DB_HOST, DB_USERNAME, DB_PASSWORD, DB_NAME);
if( mysqli_connect_error()) echo "Failed to connect to MySQL: " . mysqli_connect_error();


//get search term
$searchTerm = $_GET['term'];

$result = mysqli_query($con, "SELECT `location` FROM `locations` WHERE TRIM(location) LIKE '%".($_GET['term'])."%'");   

$data = array();
while ($row = mysqli_fetch_assoc($result)) 
{

        $name = str_replace($searchTerm, "<span style='background-color:pink;'>$searchTerm</span>", $row['location']); 
        array_push($data, $name);   
}   



//return json data

echo json_encode($data);

Lets say I search for the term makutano I end up getting a result like the one displayed below:

I would expect it only to highlight makutano, but it does not work as intended.

If i remove the str_replace($searchTerm, "<span style='background-color:pink;'>$searchTerm</span>" code my result would be as diplayed in the image below

My database location looks like

Where am i going wrong from my code? Any help will be appreciated

You're pushing the information to JSON which is not really a good format for displaying information. — Jay Blanchard, Mar 03 '16 at 13:04
@JayBlanchard what should i have done. i am not so much good in this — Omari Victor Omosa, Mar 03 '16 at 13:06
You could concatenate the results and then echo that, rather than the JSON. — Jay Blanchard, Mar 03 '16 at 13:07
@JayBlanchard how do i go about that in my question.. 'concanate' any ideas? — Omari Victor Omosa, Mar 03 '16 at 13:12
I cant replicate your results running your code. Are you sure thats all of it? — DevDonkey, Mar 03 '16 at 13:14
You have an SQL-injection vulnerability in your code. Either escape `$_GET['term']` or use parameterized queries (examples: http://codular.com/php-mysqli). — sba, Mar 03 '16 at 13:22

score 2 · Accepted Answer · edited May 23 '17 at 10:28

If you want to display the information you have to concatenate a string (which I do with the implode())instead of creating a JSON object:

//get search term
$searchTerm = htmlspecialchars($_GET['term']);

$result = mysqli_query($con, "SELECT `location` FROM `locations` WHERE TRIM(`location`) LIKE '%".($_GET['term'])."%'");   

$data = array();
while ($row = mysqli_fetch_assoc($result)) 
{
    $name = $row['location']; 
    array_push($data, $name);   
}   

$string = '"' . implode('","', $data) . '"';
$newString = str_replace($searchTerm, "<span style='background-color:pink;'>$searchTerm</span>", $string); 
echo $newString;

Once you have created a string then you can do the replace to add the markup to the string.

Your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. I have done the bare minimum in this code by using htmlspecialchars().

the highlighting works great but it eliminates the quotes. between the words e.g. `"machakos mwala makutano mwala"`, — Omari Victor Omosa, Mar 03 '16 at 13:37

Highlight search keyword in PHP does not highlight correctly

1 Answers1