开发者

Add search field

开发者 https://www.devze.com 2023-02-28 12:27 出处:网络
<form method=\"post\" action=\"oabtest.php?go\" id=\"searchform\"> <input type=\"text\" name=\"name\">
<form method="post" action="oabtest.php?go" id="searchform">
    <input type="text" name="name">
    <input type="submit" name="submit" value="Search">
</form>
<p><a href="?by=A">A</a> | <a href="?by=B">B</a> | <a href="?by=C">C</a> |<a href="?by=D">D</a> |<a href="?by=E">E</a> |<a href="?by=F">F</a> |<a href="?by=G">G</a> |<a href="?by=H">H</a> |<a href="?by=I">I</a> |<a href="?by=J">J</a> |<a href="?by=K">K</a> |<a href="?by=L">L</a> |<a href="?by=M">M</a> |<a href="?by=N">N</a> |<a href="?by=O">O</a> |<a href="?by=P">P</a> |<a href="?by=Q">Q</a> |<a href="?by=R">R</a> |<a href="?by=S">S</a> |<a href="?by=T">T</a> |<a href="?by=U">U</a> |<a href="?by=V">V</a> |<a href="?by=W">W</a> |<a href="?by=X">X</a> |<a href="?by=Y">Y</a> |<a href="?by=Z">Z</a> </p>

<p>You may also search by Patrol.</p>
<form method="post" action="oabtest.php?go" id="searchform">
    <input type="text" name="patrol">
    <input type="submit" name="submit" value="Search">
</form>
<?php
//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect("localhost", "*****", "*****");
if (!$link) {
    die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db("troop97_***");
if (!$db) {
    die("Unable to select database");
}

if (isset($_POST['submit'])) {
    if (isset($_GET['go'])) {
        if (preg_match("/[A-Z | a-z]+/", $_POST['name'])) {
            $name = $_POST['name'];


//-query the database table
            $sql = "SELECT ID, First_Name, Last_Name FROM contact WHERE First_Name LIKE '" . mysql_real_escape_string($name) . "%' OR Last_Name LIKE '" . mysql_real_escape_string($name) . "%'";
//-run the query against the mysql query function
            $result = mysql_query($sql);

//-count results

            $numrows = mysql_num_rows($result);

            echo "<p>" . $numrows . " results found for " . stripslashes($name) . "</p>";

//-create while loop and loop through result set
            while ($row = mysql_fetch_array($result)) {

                $First_Name = $row['First_Name'];
                $Last_Name = $row['Last_Name'];
                $ID = $row['ID'];

//-display the result of the array

                echo "<ul>\n";
                echo "<li>" . "<a href=\"oabtest.php?id=$ID\">" . $First_Name . " " . $Last_Name . "</a></li>\n";
                echo "</ul>";
            }
        } else {
            echo "<p>Please enter a search query</p>";
        }
    }
}

if (isset($_GET['by'])) {
    $letter = $_GET['by'];

//-query the database table
    $letter = mysql_real_escape_string($letter);
    $sql = "SELECT ID, First_Name, Last_Name FROM contact WHERE First_Name LIKE '" . $letter . "%' 
OR Last_Name LIKE '" . $letter . "%'";

//-run the query against the mysql query function
    $result = mysql_query($sql);

//-count results
    $numrows = mysql_num_rows($result);

    echo "<p>" . $numrows . " results found for " . $letter . "</p>";

//-create while loop and loop through result set
    while ($row = mysql_fetch_array($result)) {

        $First_Name = $row['First_Name'];
        $Last_Name = $row['Last_Name'];
        $ID = $row['ID'];

//-display the result of the array

        echo "<ul>\n";
        echo "<li>" . "<a href=\"o开发者_开发问答abtest.php?id=$ID\">" . $First_Name . " " . $Last_Name . "</a></li>\n";
        echo "</ul>";
    }
}

if (isset($_POST['submit'])) {
    if (isset($_GET['go'])) {
        if (preg_match("/[A-Z | a-z]+/", $_POST['patrol'])) {

            $patrol = $_POST['patrol'];



//-query the database table
            $patrol = mysql_real_escape_string($patrol);
            $sql = "SELECT ID, First_Name, Last_Name FROM contact WHERE Patrol LIKE '" . mysql_real_escape_string($patrol) . "%'";

//-run the query against the mysql query function
            $result = mysql_query($sql);

//-count results
            $numrows = mysql_num_rows($result);

            echo "<p>" . $numrows . " results found for " . $patrol . "</p>";

//-create while loop and loop through result set
            while ($row = mysql_fetch_array($result)) {

                $First_Name = $row['First_Name'];
                $Last_Name = $row['Last_Name'];
                $ID = $row['ID'];

//-display the result of the array

                echo "<ul>\n";
                echo "<li>" . "<a href=\"oabtest.php?id=$ID\">" . $First_Name . " " . $Last_Name . "</a></li>\n";
                echo "</ul>";
            }
        }

        if (isset($_GET['id'])) {
            $contactid = $_GET['id'];

//-query the database table
            $sql = "SELECT * FROM contact WHERE ID=" . $contactid;


//-run the query against the mysql query function
            $result = mysql_query($sql);

//-create while loop and loop through result set
            while ($row = mysql_fetch_array($result)) {

                $First_Name = $row['First_Name'];
                $Last_Name = $row['Last_Name'];
                $Home_Phone = $row['Home_Phone'];
                $Cell_Phone = $row['Cell_Phone'];
                $Work_Phone = $row['Work_Phone'];
                $Email = $row['Email'];
                $Home_Street = $row['Home_Street'];
                $Home_City = $row['Home_City'];
                $Home_State = $row['Home_State'];
                $Home_Zip = $row['Home_Zip'];
                $Troop_Role = $row['Troop_Role'];
                $Patrol = $row['Patrol'];

//-display the result of the array

                echo "<ul>\n";
                echo "<li>" . $First_Name . " " . $Last_Name . "</li>\n";
                echo (empty($Home_Phone)) ? '' : "<li>" . $Home_Phone . " Home</li>\n";
                echo (empty($Cell_Phone)) ? '' : "<li>" . $Cell_Phone . " Cell</li>\n";
                echo (empty($Work_Phone)) ? '' : "<li>" . $Work_Phone . " Work</li>\n";
                echo "<li>" . "<a href=mailto:" . $Email . ">" . $Email . "</a></li>\n";
                echo "<li>" . $Home_Street . "</li>\n";
                echo "<li>" . $Home_City . ", " . $Home_State . " " . $Home_Zip . "</li>\n";
                echo "<li>" . $Troop_Role . "</li>\n";
                echo "<li>" . $Patrol . "</li>\n";
                echo "</ul>";
            }
        }
    }
}


SQL Injection Risk

If you ever use a value from a submitted form when interacting with a database, you should escape the content before doing so. In MySQL, the best function to do this is mysql_real_escape_string() PHP Manual

$sql="SELECT ID, First_Name, Last_Name FROM contact WHERE First_Name LIKE '" . mysql_real_escape_string( $name ) . "%' OR Last_Name LIKE '" . mysql_real_escape_string( $name ) ."%'";

Adding Fields to Search

If you are wanting to add an additional field, like "Department" to the search query, you simply have a field on the search form corresponding to it, and then adapt your SQL Search to have it included in the WHERE clause:

$sql="SELECT ID, First_Name, Last_Name
      FROM contact
      WHERE ( First_Name LIKE '" . mysql_real_escape_string( $name ) . "%'
              OR Last_Name LIKE '" . mysql_real_escape_string( $name ) ."%' )
            AND Department='" . mysql_real_escape_string( $department ) ."'";

Using One Field for Two Searches

If you wanted to use a single text field to perform the above search, you will need to decide on some kind of prefix for users to prefix the value for the second field with.

For instance, if we specify "in:" as a prefix to designate the Department, so a search for "John in:Radiology" would look for any person with a first, or last, name starting with "John" but only those in the "Radiology" department.

list( $name , $department ) = explode( ' in:' , $_POST['name'] , 2 );

instead of

$name = $_POST['name'];

LIKE Search Limitation

At the moment, your code will only search for First Names and/or Last Names which start with the entered value. You can make the search return either fields which simply contain (not just start with) the entered value by putting another "%" at the start of the search string:

$sql="SELECT ID, First_Name, Last_Name FROM contact WHERE First_Name LIKE '%" . $name . "%' OR Last_Name LIKE '%" . $name ."%'";

Full-Text Search

You may want to look at this tutorial - Using MySQL Full-text Searching. It covers the concepts of Full-Text Searching, will allows you to find one, or more, words submitted through a single field across multiple database fields.

Limit Returned Rows

Always a good idea to limit the number of rows you return for a search, whether you paginate or simply show X rows. Failing to do this would allow a malicious user to essentially scrape your whole database by simple searching for each letter of the alphabet.


Add your hypothetical field say search_field and then search for it with "SELECT * FROM contact WHERE search_field='search value' order by First_Name", don't forget to index on search_field if it is going to be a unique field like email. I hope the code you pasted above will not go into production. Do not trust user inputs and filter them properly before you used them in SQL queries, needless to say store db credentials and connection string in a separate file and include it.

0

精彩评论

暂无评论...
验证码 换一张
取 消