0

I have been trying to make a search engine for my database, but no luck

what I'm trying to do is to search database in more than a column,

I have tried $select = "SELECT * FROM letter_cast WHERE name LIKE '%".$_GET['content']."%' AND title LIKE '%".$_GET['content']."%'";

but no luck, I guess there is something different in the whole script,here is the script (I have downloaded it from here )

    // You can do anything with the data. Just think of the possibilities!
include('conn.php');

$strlen = strlen($_GET['content']);
$display_count = $_GET['count'];
$select = "SELECT * FROM letter_cast WHERE name LIKE '%".$_GET['content']."%' AND title LIKE '%".$_GET['content']."%'";
$res = mysql_query($select);
$rec_count = mysql_num_rows($res);
if($display_count)
{
  echo "There are <font color='red' size='3'>".$rec_count."</font> matching records found.Click Search to view result.";
}
Rayan Sp
  • 1,002
  • 7
  • 17
  • 29
  • 2
    AAARRRGGHHH!!! Escape your queries!!! If all the press recently about sites getting hacked should have taught developers anything it should be to escape every variable in your query. Either use PDO or slap some `mysql_real_escape_string` on your variables. – Endophage Jun 18 '11 at 05:47
  • @Mohammed: are you sure your search keyword must exist both in "name" and "title" columns? If not, you should use OR instead of AND and I hope you'll see the results you want. – Abhay Jun 18 '11 at 05:51
  • Read, how to sanitize queries: http://stackoverflow.com/questions/6198104/reference-what-is-a-perfect-code-sample-using-the-mysql-extension/6198584#6198584 – OZ_ Jun 18 '11 at 05:59

1 Answers1

1

Beside your script being completely insecure, the AND logic is restricting your query, if you have certain columns in mind you would need to use OR.

Babiker
  • 18,300
  • 28
  • 78
  • 125
  • thanks!! how can you be so smart!, but it doesn't make sense to me, when I used "AND" it didnt work, but when I used "OR" it worked! – Rayan Sp Jun 18 '11 at 07:02