Home/ Questions/Q 8542889
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T12:10:29+00:00

currently I have a simple search query which works as follows: $username = $_SESSION[‘username’];

  • 0

currently I have a simple search query which works as follows:

$username = $_SESSION['username'];
$chosencategory = $_GET['category'];
$price = $_GET['price'];

$search = $_GET['search'];
$terms = explode(" ", $search);

if ($price && $chosencategory){
        $sql = "SELECT * FROM people WHERE MATCH (lname,fname) AGAINST (:search IN BOOLEAN MODE) AND category='$chosencategory' ORDER BY price $price";
    $q   = $conn->prepare($sql) or die("failed!");
    $q->bindValue(':search',"%".$search."%",PDO::PARAM_STR);
    $q->execute();
    }

When a user chooses, for example, “display price lowest to highest” the value sent through to $_GET['price'] = ASC, however i am not sure if this is a safe way to sort the results, does anyone have a better way?

also this method is not the best as when the user choses a sort option such as “display price lowest to highest” the dropdown box echoes the value which has been sent to the $_GET[‘price’] which is “ASC” so in the dropdown box it reads ASC after the form as been sent!

Sorry if this is confusing please comment if you would like me to re-explain this, any help or advice is much appreciated!!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Related to your value binding and sql injection, you should also check that values are set before using. if you enabled error_reporting(E_ALL) you would see lots of Undefined warnings. Here are some tips/changes:

    <?php 
// Check and set username
$username = (isset($_SESSION['username']) ? $_SESSION['username'] : 'guest');

// Check and set category
$category = (!empty($_GET['category']) ? $_GET['category'] : null);

// Check and set search
if(!empty($_GET['search'])){
    $search = $_GET['search'];
    $terms  = explode(" ", $search);
}else{
    $search = null;
    $terms  = null;
}

// Check that $_GET['price'] is ASC if not set to DESC
// as static values its ok to directly put in the query 
if(isset($_GET['price']) && $_GET['price'] == 'ASC'){
    $price = 'ASC';
}else{
    $price = 'DESC';
}

if ($category !== null && $search !== null){

    $sql = "SELECT   *
            FROM     people
            WHERE    MATCH (lname,fname) AGAINST (:search IN BOOLEAN MODE)
            AND      category = :category
            ORDER BY price ".$price;

    $q = $conn->prepare($sql);
    // Bind the params to the placeholders
    $q->bindParam(':search', $search, PDO::PARAM_STR);
    $q->bindParam(':category', $category, PDO::PARAM_STR);
    $q->execute();
    // Get result
    $result = $q->fetchAll(PDO::FETCH_ASSOC);
}
?>
    • 0