MSSQL和PHP高级搜索引擎查询不正确

Question

I have an advanced, yet simple, PHP search engine for my MSSQL table products . The search engine has three text inputs. The first input is for the make column of the table, the second is for the product_name column of the table, and the last is for my material column from the table. My problem, from what I can see, is that when I leave two inputs blank and type in valve , the query should echo SELECT * FROM products WHERE 1=1 AND product_name = 'valve' . Instead, the query is echoing SELECT * FROM products WHERE 1=1 . I don't know why that is happening, and I think I could use another set of eyes to figure out this issue.

Here is the full PHP code:

<form action="<?php $_PHP_SELF ?>" method="post">
      <input type="text"   name="make">
      <input type="text"   name="parttype">
      <input type="text"   name="material">
      <input type="submit" name="submit">
</form>

<?php
$conn = mssql_connect('gdm','ger','Rr1!');
mssql_select_db('Ggler',$conn);

if (isset($_POST['submit'])) {

$cheack = "";

if(isset($_GET["make"])&&$_GET["make"] != ""){
    $make = $_POST['make'];
    $cheack.="  AND make =  '$make' ";
}

if(isset($_GET["parttype"])&&$_GET["parttype"] != ""){
    $parttype = $_POST['parttype'];
    $cheack.="  AND product_name =  '$parttype' ";
}

if(isset($_GET["material"])&&$_GET["material"] != ""){
    $material = $_POST['material'];
    $cheack.="  AND material =  '$material' ";
}

   $DB = "SELECT * FROM products WHERE 1=1 ".$cheack;
   $runquery = mssql_query($DB, $conn);
   $dad =  mssql_fetch_assoc($runquery);
   echo "".$DB."";
}else { 
    echo "No search made"; }
?>

Thank you for any help. All help is greatly appreciated.

Answer 1

Spot the problem:

<form action="<?php $_PHP_SELF ?>" method="post">
                                           ^^^^^

if(isset($_GET["make"])&&$_GET["make"] != ""){
          ^^^^            ^^^^

As well, you are vulnerable to SQL injection attacks .