I have an advanced, yet simple, PHP search engine for my MSSQL table products
. The search engine has three text inputs. The first input is for the make
column of the table, the second is for the product_name
column of the table, and the last is for my material
column from the table. My problem, from what I can see, is that when I leave two inputs blank and type in valve
, the query should echo SELECT * FROM products WHERE 1=1 AND product_name = 'valve'
. Instead, the query is echoing SELECT * FROM products WHERE 1=1
. I don't know why that is happening, and I think I could use another set of eyes to figure out this issue.
Here is the full PHP code:
<form action="<?php $_PHP_SELF ?>" method="post">
<input type="text" name="make">
<input type="text" name="parttype">
<input type="text" name="material">
<input type="submit" name="submit">
</form>
<?php
$conn = mssql_connect('gdm','ger','Rr1!');
mssql_select_db('Ggler',$conn);
if (isset($_POST['submit'])) {
$cheack = "";
if(isset($_GET["make"])&&$_GET["make"] != ""){
$make = $_POST['make'];
$cheack.=" AND make = '$make' ";
}
if(isset($_GET["parttype"])&&$_GET["parttype"] != ""){
$parttype = $_POST['parttype'];
$cheack.=" AND product_name = '$parttype' ";
}
if(isset($_GET["material"])&&$_GET["material"] != ""){
$material = $_POST['material'];
$cheack.=" AND material = '$material' ";
}
$DB = "SELECT * FROM products WHERE 1=1 ".$cheack;
$runquery = mssql_query($DB, $conn);
$dad = mssql_fetch_assoc($runquery);
echo "".$DB."";
}else {
echo "No search made"; }
?>
Thank you for any help. All help is greatly appreciated.
Spot the problem:
<form action="<?php $_PHP_SELF ?>" method="post">
^^^^^
if(isset($_GET["make"])&&$_GET["make"] != ""){
^^^^ ^^^^
As well, you are vulnerable to SQL injection attacks .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.