Hey,
so I got this simple search page ready after input from people here:
<?php require('scripts/mysql.php');
session_start();
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$_SESSION["__POSTFIELDS"] = serialize($_POST);
header("Location: ?check");
}
else {
if (strlen($_SESSION["__POSTFIELDS"]) > 0) {
$_POST = unserialize($_SESSION["__POSTFIELDS"]);
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Micard αναζήτηση συνεργατών</title>
<link href="scripts/searchres.css" rel="stylesheet" type="text/css" />
<link href="scripts/micard.css" rel="stylesheet" type="text/css" />
<?php include('include/meta.php'); ?>
</head>
<body>
<div id="scrl">
<?php include('include/top.php'); ?>
<?php include('include/headsearch.php'); ?>
<?php include('include/search.php'); ?>
<div id="list-container">
<?php
if(isset($_POST['term'])){
//if(preg_match("/[\p{Greek}A-Za-z0-9]+/u", $_POST['term'])){
$term = strip_tags(trim($_POST['term']));
$term = mysql_real_escape_string($term);
if ($term == "γράψτε τον όρο αναζήτησής σας...") {
$warning = 1;
}
// query to select from category or company
$sql = mysql_query("SELECT * FROM companies WHERE category LIKE '%$term%' OR company LIKE '%$term%'");
?>
<div>
<p><img src="layout/inside/sh1.png" width="978" height="12" alt="" /></p>
<?php
switch ($sql) {
case ( (mysql_num_rows($sql) == 1) && (mb_strlen($term, 'utf-8') > 1) ):
echo "<p>Για τον όρο αναζήτησης <strong>" .$term. "</strong> βρέθηκε <strong>" .mysql_num_rows($sql). "</strong> αποτέλεσμα.</p><br/>";
break;
case ( (mysql_num_rows($sql) > 1) && (mb_strlen($term, 'utf-8') > 1) ):
echo "<p>Για τον όρο αναζήτησης <strong>" .$term. "</strong> βρέθηκαν <strong>" .mysql_num_rows($sql). "</strong> αποτελέσματα.</p><br/>";
break;
case ( (mysql_num_rows($sql) >= 0) && (mb_strlen($term, 'utf-8') < 2) ):
echo "<p>Παρακαλούμε εισάγετε απο 2 χαρακτήρες και πάνω.</p>";
break;
case ( (mysql_num_rows($sql) == 0) || (mb_strlen($term, 'utf-8') == 0) ):
if ($warning == 1) { echo "<p>Παρακαλούμε εισάγετε τον όρο αναζήτησής σας...</p>";
}
else {
echo "<p>Δεν βρέθηκαν αποτελέσματα.</p>";
}
break;
} ?>
<p><img src="layout/inside/sh2.png" width="978" height="12" alt="" /></p>
</div>
<?php
//fetch results
if ( (mysql_num_rows($sql) > 0) && (mb_strlen($term, 'utf-8') > 1) ) {
while ($row = mysql_fetch_array($sql)) {
####### results loop START #######
?>
<div class="contents">
<table width="100%">
<tr>
<td class="results-image"><img src="photos/spreeder.jpg" width="150" height="137" alt="" /></td>
<td valign="top" class="results-info"><p class="resultshead">Spreeder Stores</p>
<p style="padding-bottom:10px;"><img src="layout/inside/resep.png" width="139" height="1" alt="" /></p>
<p style="padding-bottom:3px;">κατηγορία : <font color="#a09475">κοσμητική ιατρική</font></p>
<p style="padding-bottom:20px;">τηλ : <font color="#a09475">210 6041777</font></p>
<p><a href="#">σελίδα καταστήματος...</a></p></td>
</tr>
</table>
</div>
<?php
####### results loop END #######
}
}
//}
}
?>
<div style="clear:both"></div>
<div id="newstores">
<div class="newstoresheadbk">
<p>Πρόσφατες Συνεργασίες</p>
</div>
<div class="newstorefirst">
<p class="newstoreshead">Papagallino</p>
<p style="padding-bottom:12px;"><img src="layout/inside/resep.png" width="139" height="1" alt="" /></p>
<p><img src="photos/papagallino/papagallino-new.png" width="93" height="94" alt="" /></p>
<p class="newstorelink"><a href="#">προσφορες...</a></p>
</div>
<!--<div><img src="layout/inside/newstorevertsep.png" width="2" height="151" alt="" /></div>-->
<div style="clear:both;"></div>
</div>
</div>
<?php include('include/footer.php'); ?>
</div>
</body>
</html>
I'd like some advice on how to protect from SQL injection and the likes. Would it be safe to remove the preg_match line and is it some other way I should have my code than how it is now?
