1. 首页
  2. 问答
  3. 搜索显示所有产品

搜索显示所有产品

2014-12-13 97 views
-4

你好,当我从它的关键字搜索产品,我插入MYSQL所有的产品都出现请帮助我这是搜索的代码 我纠正了在评论中,但它是直到不工作搜索显示所有产品

这是我的整个结果页面

<!DOCTYPE html> 
 
<?php 
 
include ("functions/functions.php"); 
 
?> 
 
<html> 
 
<head> 
 
<title>eRiviera</title> 
 
<meta charset='utf-8'> 
 
<meta http-equiv="X-UA-Compatible" content="IE=edge"> 
 
<meta name="viewport" content="width=device-width, initial-scale=1"> 
 
<link rel="stylesheet" href="styles/style.css" media="all"/> 
 
<script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"></script> 
 
<script src="js/menubarscript.js"></script> 
 
</head> 
 
<body> 
 
<div class="main_wrapper"> 
 
<ul class="btn-circles"> 
 
    <li><a href="#" class="round green">Login<span class="round">That is, if you already have an account.</span></a></li> 
 
    <li><a href="#" class="round red">Sign Up<span class="round">But only if you really, really want to.</span></a></li> 
 
</ul> 
 
     
 
<!--Header starts here--> 
 
    <div class="header_wrapper"> 
 
\t <!--Logo--> 
 
<img id="logo" src="http://localhost/ecommerce/images/logo.png" width="500px" height="300px" alt="Logo" /> 
 
<!--Logo--> 
 
\t </div> 
 
<!--Header ends here--> 
 

 

 
<!--Menu bar starts here--> 
 
<div id='cssmenu'> 
 
<ul> 
 
    <li class='active'><a href='index.php'>Home</a></li> 
 
    <li><a href='#'>Products</a></li> 
 
    <li><a href='#'>About</a></li> 
 
    <li><a href='#'>Contact</a></li> 
 
    <p style="float:right; margin-right:140px; margin-top:21px; color:red;">Welcome Guest!</p> 
 
    <li><a id="shopping_cart" style="margin:14px 0 0 0;left:750px; color:blue; font-size:12px;" href="cart.php">Shopping Cart</a></li> 
 
\t </ul> 
 
    </div> 
 

 
<form class="form-wrapper cf"> 
 
     <input type="text" name="user_query" placeholder="Search here..." required> 
 
\t \t <form method="get" action="results.php" enctype="multipart/form-data"> 
 
     <button type="submit" name="search" value="Search">Search</button> 
 
    </form> 
 
<ul id="cats"> 
 
<?php getCats(); ?> 
 
</ul> 
 

 
\t <!--Menu bar ends here--> 
 
\t 
 
\t <!--Content wrapper starts here--> 
 
\t <div class="content_wrapper"> 
 
\t <div id="content_area"> 
 
\t <div id="products_box"> 
 
\t <?php 
 
\t if(isset$_GET['search'])) { 
 

 
     $search_query = $_GET['user_query']; 
 
     $get_pro = "select * from products where product_keywords like '%$search_query%'"; 
 

 
     $run_pro = mysqli_query($con, $get_pro); 
 

 
     while($row_pro = mysqli_fetch_array($run_pro)) { 
 

 
      $pro_id = $row_pro['product_id'];  
 
      $pro_cat = $row_pro['product_cat'];  
 
      $pro_brand = $row_pro['product_brand'];  
 
      $pro_title = $row_pro ['product_title'] ;  
 
      $pro_price = $row_pro['product_price'];  
 
      $pro_image = $row_pro['product_image']; 
 

 
      echo " 
 
       <div id='single_product'>  
 
       <h3 id='product_title'>$pro_title</h3>  
 
        <img src='admin_area/product_images/$pro_image' width='180' height='200' /> 
 
        <p><b> $ $pro_price <b></p> 
 
        <a id='details-button' href='details.php?pro_id=$pro_id'>Details</a> 
 
        <a href='index.php?pro_id=$pro_id'><button class='button'>Add to Cart</button></a> 
 
       </div> 
 
      "; 
 

 
     } 
 

 
    } 
 

 
?> 
 
\t ?> 
 
\t </div> 
 
\t </div> 
 
\t </div> 
 
\t <!--Content wrapper ends here--> 
 
\t 
 
\t 
 
    <div id="footer"> 
 
\t <h5 style="text-align:center; padding-top:30px;">&copy;2014 eRiviera All Rights Reserved</h5> 
 
\t </div> 
 
<!--Main wrapper ends here--> 
 

 

 
</body> 
 
</html>

来源

2014-12-13 Antonio Chelala

+0

这个脚本完全容易受到sql注入攻击。不要将其发布到互联网上。此外,该脚本有语法错误。 – 2014-12-13 12:33:35

+3

好的SQL注入。如果我通过'x'会发生什么; DROP DATABASE; - 作为'user_query'? – nvoigt 2014-12-13 12:34:15

+0

你可以提供一个“search_query”的例子吗? – Benvorth 2014-12-13 12:35:06

回答

0

你的形式不正确的结构 - 在“USER_QUERY”字段的形式为S的外$_GET['user_query']永远不会被设置。尝试改变这一点:

<form class="form-wrapper cf"> 
    <input type="text" name="user_query" placeholder="Search here..." required> 
    <form method="get" action="results.php" enctype="multipart/form-data"> 
    <button type="submit" name="search" value="Search">Search</button> 
</form>

为了这样的事情:

<div class="form-wrapper cf"> 
    <form method="get" action="results.php" enctype="multipart/form-data"> 
     <input type="text" name="user_query" placeholder="Search here..." required> 
     <button type="submit" name="search" value="Search">Search</button> 
    </form> 
</div>

而且,其他几个人指出的那样,这是容易受到SQL注入。这篇文章讨论一个非常类似于你的场景:How can I prevent SQL injection in PHP?

我强烈建议你通过验证服务运行你的生成代码,以便在你的html中发现错误。一定要使用生成的html(从浏览器中的“查看源代码”复制),而不仅仅是来自php文件的代码,因为验证器不会理解PHP。 WWW联盟有一个好工具:http://validator.w3.org/#validate_by_input

来源

2014-12-13 16:25:36 Cragmonkey

相关问题

 相关问题