Question

0

39

Views

how to create search engine with mysqli and php syntax

So, i want to make my own search engine to find a data by typing the title on the search box and get the data from my database and the output just like wht the users input to the search box.. so here's my code: 1. HTML CODE(SEARCH BOX)

<form id="hform-search" class="hform-search" method="post" action="">
        <input id="search-box" class="form-control" type="text" placeholder=" I want to learn.." name="keyword" autocomplete="off" autofocus="" />
        <div id="suggesstion-box"></div>
        <input type="submit" class="btn btn-default f-tutorials" name="go_t" value="Find Tutorials" />
        <input type="submit" class="btn btn-default f-course" name="go_c" value="Find Courses" />
        <p class="hero-subtitle"><em>"Let us help you to involve"</em> </p>
        </div>

</form>

PHP CODE

    $conn = mysqli_connect("localhost","root","","neurorial");
      if ($_POST[go_t] == 'Find Tutorials') {
        $keyword_t = $_POST[keyword];
        $find_t = mysqli_query($conn, "SELECT * FROM search WHERE video_tutorial LIKE '%$keyword_t%' ");
        $check_t = mysqli_num_rows($find_t);
        if ($check_t == 0) {
          echo 'sorry the video with this " $keyword_t " keyword is not found';
        }else {
          while ($rows_t=mysqli_fetch_array($find_t) ) {
            echo "$rows_t[video_tutorial]<br>";
          }
        }
      }

      if ($_POST['go_c'] == 'Find Courses') {
        global $conn;
        $keyword_c = $_POST['keyword'];
        $find_c = mysqli_query($conn, "SELECT * FROM search WHERE course LIKE '%$keyword_c%'");
        $check_c = mysqli_num_rows($find_c);
        if ($check_c == 0) {
        echo "maaf pencarian Course dengan keyword $keyword_c tidak di temukan";
          }else {
            while ($find_c = mysqli_fetch_array($find_c) ) {
              echo "$find_c[course]<br>";
            }
          }
        }

Then i always got this result:

Notice: Use of undefined constant go_t - assumed 'go_t' in D:\KAMPUS\Server\htdocs\PW\Neuro.inc\index.php on line 87

Notice: Undefined index: go_t in D:\KAMPUS\Server\htdocs\PW\Neuro.inc\index.php on line 87

Notice: Undefined index: go_c in D:\KAMPUS\Server\htdocs\PW\Neuro.inc\index.php on line 100

Could anyone solve this problem and tell me why i always got this error? Thanks in advance! :)

3 months ago ·

Santiago Trujillo

2 answers

Answer question

0

Answer question

Find remote jobs

Loading

Answer 1 · 2022-05-26T16:52:13.840Z

It is because your code also execute before submit form

<?php
if ($_POST){ //<------------ Add this condition
        $conn = mysqli_connect("localhost","root","","neurorial");
          if ($_POST['go_t'] == 'Find Tutorials') { //<---------------- change here
            $keyword_t = $_POST[keyword];
            $find_t = mysqli_query($conn, "SELECT * FROM search WHERE video_tutorial LIKE '%$keyword_t%' ");
            $check_t = mysqli_num_rows($find_t);
            if ($check_t == 0) {
              echo 'sorry the video with this " $keyword_t " keyword is not found';
            }else {
              while ($rows_t=mysqli_fetch_array($find_t) ) {
                echo "$rows_t[video_tutorial]<br>";
              }
            }
          }

          if ($_POST['go_c'] == 'Find Courses') {
            global $conn;
            $keyword_c = $_POST['keyword'];
            $find_c = mysqli_query($conn, "SELECT * FROM search WHERE course LIKE '%$keyword_c%'");
            $check_c = mysqli_num_rows($find_c);
            if ($check_c == 0) {
            echo "maaf pencarian Course dengan keyword $keyword_c tidak di temukan";
              }else {
                while ($find_c = mysqli_fetch_array($find_c) ) {
                  echo "$find_c[course]<br>";
                }
              }
            }
}
         ?>

Answer 2 · 2022-05-26T16:52:13.857Z

You're getting the specific error you mentioned because you didn't quote go_t on the second line of your PHP code.

$_POST[go_t] needs to be $_POST['go_t'].

You should also check to make sure that key is set in the array as well - that makes your if statements look like the following:

if (isset($_POST['go_t']) && $_POST['go_t'] == 'Find Tutorials') {

if (isset($_POST['go_c']) && $_POST['go_c'] == 'Find Courses') {

As @b-desai also noted, you could add the if ($_POST) condition too; but that just means the code won't run at all unless the request has come in via POST.

As it stands though, your code has some really significant flaws that will come back to bite you later on. Most importantly, it's subject to SQL injection, cross-site scripting (XSS) and CSRF. That last, I won't address here, but you should research it for yourself.

To address the SQL injection - don't ever use interpolated strings in SQL queries, as you have in these lines:

$find_t = mysqli_query($conn, "SELECT * FROM search WHERE video_tutorial LIKE '%$keyword_t%' ");

$find_c = mysqli_query($conn, "SELECT * FROM search WHERE course LIKE '%$keyword_c%'");

The way those are written, whatever a user types into your search filter will be passed straight into your database; you need to escape that, or better yet, use prepared statements (Google will be your friend here; look up PDO).

To address the cross-site scripting; if no search results are found, you're outputting the user's keyword directly to the browser without escaping it. If they've added a <script> tag or similar, they could potentially steal cookies from your users, or worse.

You should always be sure to escape all output, and always assume that your users are malicious - some of them will be.

I realise this is just a small example, but I'd caution against putting code of this sort into production.