I have written the below code for searching a database with strings. (Removed a bit of unessential code..)
Any obvious security issuesor suggestions on how to improve it?
Thanks.....
( id | string | ranking )
echo "<b>Search results:</b><p>";
$found = 0;
$host = "mysql.server.com";
$user = "user";
$pass = "pass";
$db = "db";
$arr = array();
$connection = mysql_connect($host, $user, $pass) or die ("Unable to connect!");
mysql_select_db($db) or die ("Unable to select database!");
//
// REGULAR SEARCH
//
$query = "SELECT * FROM strings WHERE MATCH (name) AGAINST ('".$search."' IN BOOLEAN MODE)";
$result = mysql_query($query) or die ("Error in query, == search");
while($row = mysql_fetch_row($result)) {
$arr[] = $row[0];
}
//
// %% SEARCH
//
$query = "SELECT * FROM `strings` WHERE `name` LIKE '%".$search."%' ORDER BY `ranking` DESC LIMIT 0 , 30";
$result = mysql_query($query) or die ("Error in query");
while($row = mysql_fetch_row($result)) {
foreach ($arr as $line) {if ($line == $row[0]) {$included = 1;}}
if ($included != 1) {$arr[] = $row[0];}
$included = 0;
}
//
// SOUNDEX SEARCH
//
$query = "SELECT * FROM strings where soundex(name) = soundex('$search') ORDER BY `ranking` DESC LIMIT 0 , 30";
$result = mysql_query($query) or die ("Error in query");
while($row = mysql_fetch_row($result)) {
foreach ($arr as $line) {if ($line == $row[0]) {$included = 1;}}
if ($included != 1) {$arr[] = $row[0];}
$included = 0;
}
// ADD RESULTS
//
Not sure if the below is 100% correct with the { and }'s, I removed some unessential code.
foreach ($arr as $line) {
$query = "SELECT * FROM `strings` WHERE `fid` LIKE '".$line."'";
$result = mysql_query($query) or die ("Error in query, add results");
while($row = mysql_fetch_row($result)) {
echo $row[1];
}
}
mysql_close($connection);
}
