Member Avatar

nova37

hello
i want to add search functionality to my website .

my task is to get input from user then check it if its domain like google.com then (do work 1).... else if keyword like news etc then search database

so i made search.php

mysql_query("SELECT * FROM `table` WHERE `title` LIKE '%$keyword%' OR `descrption` LIKE '%$keyword%' LIMIT 0 , 30");

now when i use php header function am unable to send get argument to search.php

header("location: $siteurl/search.php?q=$url3");

so please help me with it or give me another alternate solution actually when i take input from user then i check it another php script that its domain or keyword after that i have to send it to search.php

also for security analysis : please tell me that is it ok that directly send userinput to database or first do some filteration to avoid sql injection

never trust your users. End of story. At the very minimum,

$keyword = mysql_real_escape_string($keyword);

should be used.

With the limited code you have given, it's difficult to say.

Without knowing how $siteurl is populated, or how $url3 is populated, it's difficult to see where you are failing.

header location ...
does not work if something has been put on the screen using echo or print

you dont need to user header. if you are setting up a search form you need to use form and also need to user post/get.

Example:

<form action="search.php" method="GET">
<div>
<p><input type="text" name="q" /></p>
<p><input type="submit" value="Search" /></p>
</div>
</form>

When you get you user input for the search form, check the get method

Example:

if(isset($_GET['q'])){
    $keyword = $_GET['q'];
    mysql_query("SELECT * FROM `table` WHERE `title` LIKE '%$keyword%' OR `descrption` LIKE '%$keyword%' LIMIT 0 , 30");

    //Do something to return you results.

}