Hi I am trying to create a search function using OOP PHP however when I run my query and enter false data I am still getting results. Results that are not in the database.
I feel like I am lacking something in my code,
Perhaps my query is wrong I’m not sure as I am new to the whole programming aspect.
Any help would be welcomed!
index.php
<?php
include("classes/class.House.inc");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>UndergradPad</title>
<link rel="stylesheet" type="text/css" href="css/style.css" />
</head>
<body>
<div id="bodyWrapper">
<div id"header">
<img id="banner" alt="UnderGradPad Logo" src="images/banner.png"/>
</div> <!-- End header -->
<div id="search">
<h1>Find student accomodation</h1><br/>
<p> Location </p>
<form method="post" action="search.php" name="search" id="searchform">
<input type="text" name="term" id="searchinput"/>
<input type="submit" name="submit" id="searchsubmit" value=""/>
</form>
<div class="help">e.g. 'PO5' or 'Portsmouth'</div>
</div> <!--End search -->
</body>
</html>
classes/class.House.inc
<?php
include("connect/class.Database.inc");
class House extends Database {
public function search (){
$query = "SELECT * FROM houses WHERE postcode like '%$term%'";
$result = $this->mysqli->query($query);
$num_result = $result->num_rows;
if($num_result > 0){
while($rows =$result->fetch_assoc()){
$this->data[]=$rows;
//print_r($rows);
}
return $this->data;
}
} else {
echo 'No Records Found';
}
} }
?>
First point, the
$termvariable is not defined.You may have meant
$_POST['term']? This is the global variable that PHP defines for posted data.However, I would suggest having the variable as an argument on the function, as it will give you the flexibility to use it without relying on the post data.
eg:
…and in the code where you call it, pass
$_POST['term']as a parameter. Use something like this:Secondly, you need to escape your SQL data, otherwise you are at risk of SQL injection. Since you are using the MySQLi classes for DB access, there are two approaches here: escape the variable yourself, or use Parameterised Queries and let MySQLi do the work for you.
Escaping it yourself:
Parameterised Queries:
See the PHP manual for more info on prepared statements.
Parameterised queries are considered the more secure and more modern approach, but either way will work just fine. You must do one or the other though; without them, your program will break as soon as someone enters a quote mark in the code, and it could easily be used to hack the site.
One final point: Wildcard searches in SQL using a
%at both ends of the string are extremely slow. You’ll be okay if you DB is small, but as it grows, the query will get progressively slower and slower. If you expect to have more than a few hundred records in the table, you should seriously consider alternative searching methods. (there are a number of options here, depending on your needs, so I won’t go into them now, but do a bit of research and see what is best for you).Hope that helps.