0

I have a search field on my site that searches the database I use. When I click on the search field and enter no text the search returns all results.

How can I have it so no results are returned if nothing is entered?

Is there any javascript that can help me?

Thanks!

James

<?php

$conn = mysql_connect("---", "", "");

if (!$conn) {
echo "Unable to connect to DB: " . mysql_error();
exit;
}



{

$search = "%" . $_POST["search"] . "%";
$searchterm = "%" . $_POST["searchterm"] . "%";

}

if (!mysql_select_db("weezycouk_641290_db1")) {
echo "Unable to select mydbname: " . mysql_error();
exit;
}

$sql = "SELECT name,lastname,email 
FROM   test_mysql
WHERE  name LIKE '%".$search."%' AND lastname LIKE '%".$searchterm."%'";

$result = mysql_query($sql);

if (!$result) {
echo "Could not successfully run query ($sql) from DB: " . mysql_error();
exit;
}

if(document.getElementById('search').value == '')
return false;

if(document.getElementById('searchterm').value == '')
return false;

if (mysql_num_rows($result) == 0) {
echo "No rows found, nothing to print so am exiting";
exit;
}


while ($row = mysql_fetch_assoc($result)) {
echo '<br>';
echo '<br>';
echo '<div class="data1">';
echo $row["name"];
echo '</div>';
echo '<br>';
echo '<div class="data2">';
echo $row["lastname"];
echo '</div>';
echo '<br>';
echo '<div class="data3">';
echo $row["email"];
echo '</div>';
}

mysql_free_result($result);

?>
James
  • 1,895
  • 6
  • 27
  • 34
  • What SQL is in the PHP script which search in database? – Václav Novotný Oct 25 '11 at 15:36
  • 1
    Make sure you're not doing something dumb like `WHERE Blah LIKE '%" + query + "%` as this would be a huge security hole. Other than that, just check to make sure the input has a value first. – Mike Christensen Oct 25 '11 at 15:37
  • 1
    There you go guys, go easy on me I've only been doing this since yesterday! – James Oct 25 '11 at 15:43
  • You can't use javascript in php. – Can Vural Oct 25 '11 at 15:45
  • So what does it mean security hole? Do i need to improve my WHERE.. act part? – James Oct 25 '11 at 15:50
  • @James: Read [this](http://www.unixwiz.net/techtips/sql-injection.html) and then the first sentence of [my answer](http://stackoverflow.com/questions/7891783/how-to-stop-search-returning-all-results/7891816#7891816). – Jon Oct 25 '11 at 15:55
  • I think what @MikeChristensen was trying to say was to not use concatenation for your query strings since it's subject to SQL injection attacks. I'd look at changing over to using PDO. See prepare ( http://www.php.net/manual/en/pdo.prepare.php) or quote (http://php.net/manual/en/pdo.quote.php) – hafichuk Oct 25 '11 at 15:57
  • Do i need this as when i view the source of my code all php and mysql is hidden? – James Oct 25 '11 at 16:01
  • Do i need this as when i view the source of my code all php and mysql is hidden? – James Oct 25 '11 at 16:25

4 Answers4

8

Stop right there! SQL injection!

Your code has multiple SQL injection vulnerabilities. Fix them immediately!

Fixed? Let's go on.

Before deciding to perform the search, check if the search term is the empty string. If yes, do not perform the search. For example:

$search = // whatever the user typed; it's a good idea to trim() it
if(empty($search)) {
    // return no results
}
else {
    // do whatever you normally do
}

You could also perhaps change the search function (more likely, the search SQL query) to return no results if there's nothing to search for, which would basically let you move the above if "deeper inside" your code. IMHO it's best if the if stays here though, so I don't endorse this approach.

Taking care of details with Javascript: If your search is based on a form submission, it might be a good idea to prevent the submission entirely (with Javascript) if the search field is empty as a courtesy to the user. However, you should do this in addition to using the PHP check and not instead of it.

For an example in code, we 'd need to see your HTML.

Community
  • 1
  • 1
Jon
  • 428,835
  • 81
  • 738
  • 806
  • You could amplify this approach and remove all words less than a certain number of characters or other specific words that commonly appear ("of", "the", "and", etc.), which is what Google used to do. And after all of the filters have been applied, check if the search string is empty. Remember to use `trim()` as well, since a blank space is not `empty`. – Mike Oct 25 '11 at 15:42
  • Regarding the javascript: you can take a look at my answer for a starting point. – middus Oct 25 '11 at 15:47
1

For very basic control you can do something like that. 

if(document.getElementById('searchField').value == '')
   return false;
Can Vural
  • 2,222
  • 1
  • 28
  • 43
1

Either you can deny submitting the search form as long as nothing is filled in the search field using Javascript or you block the search in the according php file.

php:

if(empty($_GET['search'])){ // or whatever your field's name is
  echo 'no results';
}else{
  performSearch(); // do what you're doing right now
}

javascript using jQuery (if you use it):

$('#searchform').submit(function(){ // replace 'searchform' your form's id
  return $('#search').val() != ''; // and 'search' with your search field's id
});
middus
  • 9,103
  • 1
  • 31
  • 33
0

I wouldn't do this using JavaScript (as this can be turned off by the user).

I would do it using your server side language when you process the query.

e.g. in PHP something like this would work:

<?php
//processes
if (trim($_GET['search'])=='') {
  //dont query anything
} else {
  // do your query
}

//output
if (trim($_GET['search'])=='') {
  ?>
  <p>Sorry, your search has returned no results.</p>
  <?php
} else {
  // output results
}

?>
Nick
  • 6,316
  • 2
  • 29
  • 47