Comments on: Building a PHP and MySQL search function http://www.jdhodges.com/2009/09/building-a-php-and-mysql-search-function/ Woodsman, adventurer, tech enthusiast, and lucky man. Mon, 15 Mar 2010 02:20:16 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: J.D. http://www.jdhodges.com/2009/09/building-a-php-and-mysql-search-function/comment-page-1/#comment-570 J.D. Sat, 10 Oct 2009 02:31:53 +0000 http://www.jdhodges.com/?p=327#comment-570 Thanks for pointing that out John. I clean the input string before I send it to the function. However, it would be wise to include some rudimentary cleaning [string escaping] in the function itself (just in case it ever got called with raw input). So I'm going to update the code in this post. :-) Thanks for pointing that out John. I clean the input string before I send it to the function.

However, it would be wise to include some rudimentary cleaning [string escaping] in the function itself (just in case it ever got called with raw input). So I’m going to update the code in this post. :-)

]]> By: John Havlik http://www.jdhodges.com/2009/09/building-a-php-and-mysql-search-function/comment-page-1/#comment-569 John Havlik Fri, 09 Oct 2009 22:33:32 +0000 http://www.jdhodges.com/?p=327#comment-569 Just a note on that code, it doesn't appear to use any input string escaping, which means grabbing from any of the PHP superglobals, and any other untrusted source, will need to be escaped before running through the function. Otherwise you open yourself up to nasty SQL injection attacks. Just a note on that code, it doesn’t appear to use any input string escaping, which means grabbing from any of the PHP superglobals, and any other untrusted source, will need to be escaped before running through the function. Otherwise you open yourself up to nasty SQL injection attacks.

]]> By: J.D. http://www.jdhodges.com/2009/09/building-a-php-and-mysql-search-function/comment-page-1/#comment-568 J.D. Fri, 09 Oct 2009 13:57:45 +0000 http://www.jdhodges.com/?p=327#comment-568 Yo guys. I did have to make some changes to get the code to work. I wanted it to generate the multiword SQL querystring for me, so I modified it to be a function. The function now simply returns a SQL querystring, which you can then use however you like. Here's a rather ugly version of the code, hope it helps: <p> </p> <p><code>// call the function, it returns a query string<br> $queryString = multiquery("some search terms", "table_to_select_from");<br> //print the querystring, use this querystring to get whatever recordset you want<br> echo $queryString;<br> </code><code><br> // Original code: http://www.acuras.co.uk/articles/2-php-multi-word-mysql-search-algorithm-and-output<br> <strong>function multiquery($multiquery, $vartable) {</strong><br> // escape the input string, I know mysql_escape_string is deprecated, but I don't want to mess with another function tonight...<br> $multiquery = mysql_escape_string($multiquery);<br> // checks if a search has been submitted<br> if(!empty($multiquery))<br> {<br> // the table to search<br> $table = $vartable;<br> // explode search words into an array<br> $arraySearch = explode(" ", $multiquery);<br> // table fields to search<br> $arrayFields = array(0 => "Long_Desc", 1 => "Shrt_Desc", 2 => "ComName", 3 => "ManufacName");<br> $countSearch = count($arraySearch);<br> $a = 0;<br> $b = 0;<br> $query = "SELECT * FROM ".$table." WHERE (";<br> $countFields = count($arrayFields);<br> while ($a < $countFields)<br> {<br> while ($b < $countSearch)<br> {<br> $query = $query."$arrayFields[$a] LIKE '%$arraySearch[$b]%'";<br> $b++;<br> if ($b < $countSearch)<br> {<br> $query = $query." AND ";<br> }<br> }<br> $b = 0;<br> $a++;<br> if ($a < $countFields)<br> {<br> $query = $query.") OR (";<br> }<br> }<br> <strong>// just make a querystring "$query", don't actually get the query_result here<br> </strong>$query = $query.")";<br> //$query_result = mysql_query($query);<br> <strong>//return the querystring for use outside the function</strong><br> return $query;<br> <strong>//disable this portion, since we're not working with a query result anymore (just a querystring to be used later)<br> </strong>if(1 < 1)<br> {<br> echo '<p>No matches found for "'.$search.'"</p>';<br> }<br> else<br> {<br> echo '<p>Search Results for "'.$search.'":</p>'."\n\n";<br> // output list of articles<br> while($row = mysql_fetch_assoc($query_result))<br> {<br> // output whatever you want here for each search result<br> echo '<a href="index.php?id='.$row['id'].'">'.$row['title'].'</a><br />';<br> }<br> }<br> }<br> else<br> {<br> // display a welcome page<br> }<br> <strong>}<br> // end search function</strong></code></p> THE END. Yo guys. I did have to make some changes to get the code to work. I wanted it to generate the multiword SQL querystring for me, so I modified it to be a function. The function now simply returns a SQL querystring, which you can then use however you like. Here’s a rather ugly version of the code, hope it helps:

 

// call the function, it returns a query string
$queryString = multiquery("some search terms", "table_to_select_from");
//print the querystring, use this querystring to get whatever recordset you want
echo $queryString;

// Original code: http://www.acuras.co.uk/articles/2-php-multi-word-mysql-search-algorithm-and-output
function multiquery($multiquery, $vartable) {
// escape the input string, I know mysql_escape_string is deprecated, but I don't want to mess with another function tonight...
$multiquery = mysql_escape_string($multiquery);
// checks if a search has been submitted
if(!empty($multiquery))
{
// the table to search
$table = $vartable;
// explode search words into an array
$arraySearch = explode(" ", $multiquery);
// table fields to search
$arrayFields = array(0 => "Long_Desc", 1 => "Shrt_Desc", 2 => "ComName", 3 => "ManufacName");
$countSearch = count($arraySearch);
$a = 0;
$b = 0;
$query = "SELECT * FROM ".$table." WHERE (";
$countFields = count($arrayFields);
while ($a < $countFields)
{
while ($b < $countSearch)
{
$query = $query."$arrayFields[$a] LIKE '%$arraySearch[$b]%'";
$b++;
if ($b < $countSearch)
{
$query = $query." AND ";
}
}
$b = 0;
$a++;
if ($a < $countFields)
{
$query = $query.") OR (";
}
}
// just make a querystring "$query", don't actually get the query_result here
$query = $query.")";
//$query_result = mysql_query($query);
//return the querystring for use outside the function
return $query;
//disable this portion, since we're not working with a query result anymore (just a querystring to be used later)
if(1 < 1)
{
echo '<p>No matches found for "'.$search.'"</p>';
}
else
{
echo '<p>Search Results for "'.$search.'":</p>'."\n\n";
// output list of articles
while($row = mysql_fetch_assoc($query_result))
{
// output whatever you want here for each search result
echo '<a href="index.php?id='.$row['id'].'">'.$row['title'].'</a><br />';
}
}
}
else
{
// display a welcome page
}
}
// end search function

THE END.

]]> By: John Havlik http://www.jdhodges.com/2009/09/building-a-php-and-mysql-search-function/comment-page-1/#comment-566 John Havlik Thu, 08 Oct 2009 20:27:54 +0000 http://www.jdhodges.com/?p=327#comment-566 Catherine, If JD is using it on komparison then it should work with PHP5, our servers are running PHP 5.2. Catherine,

If JD is using it on komparison then it should work with PHP5, our servers are running PHP 5.2.

]]> By: Catherine http://www.jdhodges.com/2009/09/building-a-php-and-mysql-search-function/comment-page-1/#comment-565 Catherine Thu, 08 Oct 2009 12:20:15 +0000 http://www.jdhodges.com/?p=327#comment-565 I was very glad to find the link to: "PHP: Multi-word MySQL Search Algorithm and Output", but after 6 hours of trying to make it work, I'm stumped! It seems that it works on older versions of php, but not on my 5.1 version. Can you help me in any way? I was very glad to find the link to: “PHP: Multi-word MySQL Search Algorithm and Output”, but after 6 hours of trying to make it work, I’m stumped! It seems that it works on older versions of php, but not on my 5.1 version. Can you help me in any way?

]]>