0

I have a search engine with an html form that sends data to a PHP script the queries a MySQL database. In the html form, I have a option that allows multiple selections. Thus far, I have put square brackets after the name in the HTML in order to make it an array. But I think there is a problem in the PHP because results are not correct.

HTML

<select multiple="multiple" name='category[]'>
      <option>Literature</option>
      <option>History</option>
      <option>Science</option>
      <option>Fine Arts</option>
      <option>Trash</option>
      <option>Mythology</option>
      <option>Phylosophy</option>
      <option>Social Science</option>
      <option>Religion</option>
      <option>Geography</option>
  </select>

search.php

$button = $_GET ['submit'];
$search = $_GET ['search'];

}

if(strlen($search)<=1)
echo "Search term too short";
else{
echo "You searched for <b><em>$search</em></b> and ";
mysql_connect("fake","fake","fake");
mysql_select_db("quinterestdb");}

mysql_real_escape_string($search);

$search_exploded = explode (" ", $search);

foreach($search_exploded as $search_each)
{
$x++;
if($x==1)
$construct .="Answer LIKE '%$search_each%'";
else
$construct .="AND Answer LIKE '%$search_each%'";

}

$cat = $_GET ['category'];
$comma_separated = implode("','", $cat);

$constructs ="SELECT * FROM tossups WHERE $construct AND Category IN('$comma_separated')";
$run = mysql_query($constructs);

When I use the search engine, the script runs just fine, but there are still results that have categories that were not selected. Any idea?

Improve this question
14
  • What is the form method? Are you using POST or GET? Commented Jun 17, 2013 at 6:34
  • 2
    can you print $constructs and run in phpmyadmin. Commented Jun 17, 2013 at 6:35
  • GET is default. You don't have to specify. Commented Jun 17, 2013 at 6:35
  • 1
    What is in the $construct variable? Commented Jun 17, 2013 at 6:36
  • 2
    option tag should have value attribute assigned, in implode double-quotes are extra, your script is vulnerable to sql injection, you use deprecated mysql API. Commented Jun 17, 2013 at 6:40

1 Answer 1

Reset to default
2

That's not the way. Should be something like this, with VALUE

<select multiple="multiple" name='category[]'>
      <option value="v1">Literature</option>
      <option value="v2">History</option>
...
  </select>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.