Help with search coding please.

Question

I am doing a project where I want a person to enter the name of any artist/band into a text box where it will seach my mysql database for the event information and display the results/content on another page. The code below is within my index.php where it should get the information from search.php (below also). I've looked all over and I'm not sure why it's not working and I can't figure out what to do. Help would be great! (I really need to pass this class!) :)

(index.php)

<form name="search" action="search.php" method="get">
    <div align="center"><input type="text" name="q" />
    <p><input type="submit" name="Submit" value="Search" /></p>
</form>

(search.php)

<?php

//Get the search variable from URL

$var=@&_GET['q'];
$trimmed=trim($var); //trim whitespace from the stored variable

//rows to return
$limit=10;

//check for an empty string and display a message.
if($trimmed=="")
    {
    echo"<p>Please enter a name.</p>";
    exit;
    }

//check for a search parameter
if(!isset($var))
    {
    echo"<p>We don't seem to have a search parameter!</p>";
    exit;
    }

//connect to database
mysql_connect("localhost","root","password");

//specify database
mysql_select_db("itour") or die("Unable to select database");

//Build SQL Query
$query = "select * from events where artist_name like \"%trimmed%\" order by date";

$numresults=mysql_query($query);
$numrows=mysql_num_rows(numresults);

//If no results, offer a google search as an alternative

if ($numrows==0)
    {
    echo"<h3>Results</h3>";
    echo"<p>Sorry, your search: &quot;" .$trimmed . "&quot; returned zero results</p>";

    //google
    echo"<p><a href=\"http://www.google.com/search?q=".$trimmed . "\" target=\"_blank"\ title=\"Look up ".$trimmed ." on Google\">
    Click here</a> to try the search on google</p>";
    }

//next determine if s has been passed to script, if not use 0
if(empty($s)) {
    $s=0;
    }

//get results
$query .=" limit $s,$limit";
$result = mysql_query($query) or die("Couldn't execute query");

//display what was searched for
echo"<p>You searched for: &quot;" .$var . "&quot;</p>";

//begin to show results set
echo "Results";
$count = 1 + $s;

//able to display the results returned
while ($row="mysql_fetch_array($result)) {
$title = $row["artist_name"];

echo"$count.)&nbsp;$title";
$count++;
}

$currPage = (($s/$limit) + 1;

echo"<br  />";

//links to other results
if ($s>=1){
    //bypass PREV link if s is 0
    $prevs=($s-$limit);
    print"&nbsp;<a href=\"$PHP_SELF?s=$prevs&q=$var\">&lt;&lt;
    Prev 10</a>&nbsp;&nbsp;";
}

//calculate number of pages needing links
$pages=intval($numrows/$limit);

//$pages now contains int of pages needed unless there is a remainder from diviison

if($numrows%$limit){
//has remainder so add one page
$pages++;
}

//check to see if last page
if (!((($s+$limit)/$limit)==$pages) && $pages!=1){

//not last page so give NEXT link
$news=$s+$limit;

echo"&nbsp;<a href=\"$PHP_SELF?s=$news&q=$var\">Next 10 &gt;&gt;</a>";
}

$a = $s +($limit);
if($a > $numrows){$a = $numrows;}
$b = $s + 1;
echo"<p>Showing results $b to $a of $numrows</p>";

?>

Answer 1

Your where clause is goofy...try changing it to:

WHERE artist_name like '%$trimmed%'

just putting trimmed will be interpreted literally as the string "trimmed". However, using the variable $trimmed in your double-quoted string will give the actual variable's value.

Answer 2

$query = "select * from events where artist_name like '%$trimmed%' order by date";

Answer 3

Also as Chad mentioned, an sql injection would be simple since you arent cleaning input before performing DB actions with it.

try adding

 foreach($_REQUEST as $param => $value)
{
   $_REQUEST[$param]=mysql_real_escape_string($value);
}

This way you escape all the user input so the user cant tamper with the db. Read more about this method and sql injection in the docs here: http://us2.php.net/mysql_real_escape_string

Answer 4

In order to use the variable $trimmed in a query, escape it first. Otherwise, your script will be vulnerable to SQL injection attacks, and attackers will be able to run almost any query against your database. This problem is exacerbated by the fact that you are connecting to MySQL as root. Never ever do this in a production environment.

Also, to expand a variable in a string, you should include the $ character before the variable name.

$trimmed = trim($var);
$escaped = mysql_real_escape_string($trimmed);
$query = "select * from events where artist_name like \"%$escaped%\" order by date";

Answer 5

You are missing a $ symbol. I think

$var=@&_GET['q'];

should probably be

$var=@$_GET['q'];

unless you really want a reference, in which case it should be this: (the error suppression is not needed at this point if you want a reference, but you should check $var is set before trying to access it)

$var=& $_GET['q'];

I would be tempted to write it a bit more like this.

if (!isset($_GET['q'])) {
    echo"<p>We don't seem to have a search parameter!</p>";
    exit;
}

$trimmed = trim($_GET['q']);

if($trimmed=="") {
    echo"<p>Please enter a name.</p>";
    exit;
}