1

I want to get data from my database (mysql) and show it on the website, the script schould be save.

This is the struture of files I have already:

/includes
    db_connect.php
    functions.php
    getdata.php
    logout.php
    process_login.php
    psl-config.php
    register.inc.php
/js
    forms.js
    sha512.js
login.php
protected_page.php
register.php
register_success.php
seach.php

Now follow the important files: psl-config.php

<?php
/**
 * Das sind die Login-Angaben für die Datenbank
 */  
define("HOST", "localhost");     // Der Host mit dem du dich verbinden willst.
define("USER", "sec_user");    // Der Datenbank-Benutzername. 
define("PASSWORD", "eKcGZr59zAa2BEWU");    // Das Datenbank-Passwort. 
define("DATABASE", "secure_login");    // Der Datenbankname.

define("CAN_REGISTER", "any");
define("DEFAULT_ROLE", "member");

define("SECURE", FALSE);    // NUR FÜR DIE ENTWICKLUNG!!!!
?>

The db_connect.php

<?php
include_once 'psl-config.php';   // Da functions.php nicht included ist
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
?>

This is my search.php 

<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';

sec_session_start();
?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Secure Login: Protected Page</title>
        <link rel="stylesheet" href="styles/main.css" />
    </head>
    <body>
        <?php if (login_check($mysqli) == true) : ?>
            <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>

            <h3>Search  Contacts Details</h3> 
            <p>You  may search either by first or last name</p> 
            <form  method="post" action="search.php?go"  id="searchform"> 
                <input  type="text" name="name"> 
                <input  type="submit" name="submit" value="Search"> 
            </form>
        <?php else : ?>
            <p>
                <span class="error">You are not authorized to access this page.</span> Please <a href="login.php">login</a>.
            </p>
        <?php endif; ?>
    </body>
</html>

Where should I put my textbox entry to make a safe search for my website? Is my code safe to use?

This is my sql command: SELECT * FROM produckte WHERE beschreibung = $search LIMIT 100;

I want to print the result on the search website.

Improve this question
1
  • It's perfectly safe as long as you properly prepare information for database. Since you use mysqli you could use prepared statements. prepared statements mysqli or you can use php to clean the string before using it in straight up sql. Yet first option is the better one. Commented Nov 4, 2014 at 11:53

2 Answers 2

Reset to default
1

first, change your input-search's name to 'search':

<input  type="text" name="search">

You are sending your form, to the same .php file, using the 'POST' method. This means you can access what ever information being sent to the page, by accessing the $_POST variable.

Add this to the top of your search.php file, inside the <?php ?> tags:

if (isset($_POST['search']) {
  echo $_POST['search'];
}

this will give you the idea of how to handle data being post from a <form>.

Have a look at this PHP doc, regarding dealing with forms.

mysqli allows you to use prepared-statements, which is a safe way to pass user-input to database-queries.

An example on how to query DB with prepared statments:

if (isset($_POST['search']) {
  $stmt = $mysqli->prepare("SELECT * FROM produckte WHERE beschreibung = ? LIMIT 100;")
  $stmt->bind_param("s", $_POST['search']);
  $stmt->execute();

  $result = $stmt->get_result();
  while ($row = $result->fetch_array(MYSQLI_NUM))
  {
    .....handle your data here....
  }
  $stmt->close();
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I would recommend using something like this:

SELECT * FROM produckte WHERE beschreibung LIKE '%".$search."%'; This query is safe if you have a prepared statement

The % makes your query return everything that has the search keyword like if you search for: "hello" And your database has "1hello", "hello2382" Your result will be "1hello" and "hello2382" if you used your query without the % you will have 0 results. More Info

This should do the trick:

$query = "SELECT * FROM produckte WHERE beschreibung LIKE '%".$search."%';";

if ($result = $mysqli->query($query)) {

    /* fetch associative array */
    while ($row = $result->fetch_assoc()) {
        printf ("%s (%s)\n", $row["Name"], $row["column name"]);
        //You could echo a div in here with the data you want to be displayed
    }

    /* free result set */
    $result->free();
}

In your search.php

You should do this:

//your form submit button name
if(isset($_POST['submit'])){
    //your form textfield name
    $search = $_POST['name'];

    //execute the while query here.

}
Improve this answer

1 Comment

this part i have understood but how do i get the $search? with the data from the textbox could you show it to me?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.