-
Notifications
You must be signed in to change notification settings - Fork 0
/
results.php
80 lines (57 loc) · 2.06 KB
/
results.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Search Results</title>
</head>
<body>
<h1>Search Results</h1>
<?php
//create those short list variables and trim the search term for white spaces
$searchType = $_POST['searchType'];
$searchTerm = trim($_POST['SearchTerm']);
//check to see if there is any input
if(!$searchTerm || !$searchType){
echo "<p>There is no input, please specify a search type and search term</p>";
}
//whitelist the search type to make sure we are getting good data
switch($searchType){
case 'Title':
case 'Author':
case 'ISBN':
break;
default:
echo "<p>This choice is not valid!</p>";
exit;
}
//connection to the db - OOP Version
@$db = new mysqli('localhost', 'root', '', 'books');
//if connection returns an error number tell user
if(mysqli_connect_errno()){
echo "<p>Error connecting to the database!.</p><br>
<p>Please try again later</p>";
exit;
}
//query the database - placing ? againts sql injection
$query= "select ISBN, Author, Title, Price from books where $searchType = ?";
//prepare the query
$stmt = $db->prepare($query);
//bind the variables searchtype = searchterm with 's' indicating input is string
$stmt->bind_param('s', $searchTerm);
//execute query
$stmt->execute();
//collect the result
$stmt->store_result();
//bind them with those 4 variables
$stmt->bind_result($isbn, $author, $title, $price);
echo "<p>Number of books found: ".$stmt->num_rows."</p>";
//fetch the db
while($stmt->fetch()){
echo "<p><strong>Title: ".$title."</strong>";
echo "<br>Author: ".$author;
echo "<br>ISBN: ".$isbn;
echo "<br>Price: $".number_format($price, 2)."</p>";
}
?>
</body>
</html>