So this is big. Most company want a very indepth search on there website, so what do you do. Well most people just do a simple SQL query with the like operator in there. However search is much much more than that. Several things to take in account are stop words, relevancy, uppercase/lowercase, trimming, multiple words, and so much more. Hopefully this will help you a little.

Things to remember

• Never run the user supplied information straight to the database
• Trim off the extra spaces
• Convert to lower case
• Clean out stop words like: ‘and’, ‘if’, ‘or’……
• Strip out punctuation

To start:

1
2
3
4
5
6
7
8
9

//Make this bigger for what you need
$stop_words = array(" if", " and ", " other ", " dont ", " never ");
$punctuation = array('/','\\','\'','<','>','(','*','&','?',';',':','[',']','{','}','|'
                             ,'=','+','"',',','.','-','_',')','^','%','$','#','@','!','~','`');
 
$string = strtolower($_GET['search']);
$string = str_replace($stop_words, ' ',$string);
$string = str_replace($punctuation, ' ',$string);
$string = trim($string);

Porter Stemming Algorithm

Check this out, Porter Stemming Alorithm. You should become acquainted with this algorithm if u want to build a great search. Basically every word has multiple variations, and what you want to do it dumb down all words to there basic.

For example: The word ‘Visual’ can also be Visuals, Visualization. If you just do a basic search and type Visualization, things like visual wont show up. What do you do? Well download a class that applies this algorith to your string.
This article is still being written

What Now?!

Now is time to think. Go figure. So on to the actual query. You can write it with a simple query like this:

1

$sql = "select * from table where column like '%$string%';"

The only problem with that is the search is gonna have to be near exact, so what you need to do is search with an or and split the string by words.

1

$sql = "select * from table where (column like '%$word1%' or column like '%$word2%');"

So now you have all these results.. Now is the hard part and the part i leave you at. Your gonna have to write an algorithim or a means of reordering the list. Some things to remember. More exact results should show up higher on the list.

Author: Jason Rogers

So we had someone mysql inject some stupid code. i wont go into details except it caused me a large headache over the weekend. I had some old code that didnt escape quotes, and guess what i paid for it with my blood. Anyways this is for everyones that at one point was lazy to proof some of there old code. i will post a simple function that will solves this problem.

Usually mysql injection is done by the user puting a end quote in the textbox the typing OR 1=1. So say someone type this in:

jason’ or 1=1

1
2

$variable = $_REQUEST['password'];
$query = "Select * from users where username = 'username' and password = '".$variable."'";

As you can the OR 1=1 being put in there would cause the statement to return users, thus letting someone into the system.

Heres a simple example how to prevent this. Although there are hundreds of ways you would do this.

1
2
3
4
5
6
7
8
9
10
11
12

 function prevent_injection ($data) {
                if (ini_get('magic_quotes_gpc')) {
                        $data = stripslashes($data);
                }
                if (function_exists('mysql_real_escape_string')) {
                        $data = mysql_real_escape_string (trim($data));
                }
                return $data;
}
 
$variable = $_REQUEST['password'];
$query = "Select * from users where username = 'username' and password = '".prevent_injection($variable)."'";

Author: Jason Rogers

Well about an hour ago i lost my thumb drives which hold all my basic functions i use on a day to day basis. As any Geek will tell you this sort of thing almost certianly means the end of the world, but i will go on. Without them im at a huge loss, so as i try to rebuild my library of functions ill post some of them. Note: Most of the functions are all php.

Ever try to create a back-end for a website, or simple just building a form, and can’t seem to get those damn quotes to show in the textbox? Well my co-worker just asked me about this and is pretty frustrated. The simple solution is to create a basic function that uses a string replace to put in the 7-bit ASCII value instead of the character.

Example 1 - Quotes in a text box:

1
2
3
4
5
6
7
8
9
10

<?PHP
function code_for_ascii($data) {
     $temp = str_replace("'", '&#39;', $data); //Single Quote
     $temp = str_replace('"', '&quot;', $temp); //Double Quote
     return $temp;
}
 
$test_variable = '"jason"\'';
?>
<input type="text" name="test" value="<?PHP echo code_for_ascii($test_variable); ?>">

This functions cool and you may have tried it just now. If you did you’ll see that when you submit the form the returned response is

\”jason\”\’

kinda wierd but it will escape the characters for you. Now say you want to put that request back into a textbox you’ll need to do it like so.

1
2
3
4

<?PHP
$variable_1 = code_for_ascii(stripslashes($_REQUEST['test']));
?>
     <input type="text" name="test" value="<?PHP echo $variable_1; ?>">

Author: Jason Rogers