Specifications

ManualsBrandsMaxxus ManualsExercise BikePRO SPK-23

251

252

253

254

255

256

257

258

259

260

Our next step is to verify that the user has entered a search term and search type. Note that we

check he entered a search term after trimming whitespace from the ends of $searchterm. Had

we arranged these lines in the opposite order, we could get situations where a users searchterm

was not empty, so did not create an error message, but was all whitespace, so was deleted by

trim():

if (!$searchtype || !$searchterm)

{

echo “You have not entered search details. Please go back and try again.”;

exit;

}

You will notice that we’ve checked the $searchtype variable even though in this case it’s com-

ing from an HTML

SELECT. You might ask why we bother checking data that has to be filled

in. It’s important to remember that there might be more than one interface to your database.

For example, Amazon has many affiliates who use their search interface. Also, it’s sensible to

screen data in case of any security problems that can arise because of users coming from dif-

ferent points of entry.

Also, when you are going to use any data input by a user, it is important to filter it appropri-

ately for any control characters. As you might remember, in Chapter 4, “String Manipulation

and Regular Expressions,” we talked about the functions

addslashes() and stripslashes().

You need to use addslashes() when submitting any user input to a database such as MySQL

and stripslashes() when returning output to the user who has had control characters

slashed out.

In this case we have used addSlashes() on the search terms:

$searchterm = addslashes($searchterm);

We have also used stripslashes() on the data coming back from the database. None of the

data we have entered by hand into the database has any slashes in it—however, it also doesn’t

have any control characters in it. The call to

stripslashes() will have no effect. As we build

a Web interface for the database, chances are we will want to enter new books in it, and some

of the details entered by a user might contain these characters. When we put them into the

database, we will call

addslashes(), which means that we must call stripslashes when taking

the data back out. This is a sensible habit to get into.

We are using the function htmlspecialchars() to encode characters that have special mean-

ings in HTML. Our current test data does not include any ampersands (&), less than (<),

greater than (>), or double quote (“) symbols, but many fine book titles contain an ampersand.

By using this function, we can eliminate future errors.

Accessing Your MySQL Database from the Web with PHP

HAPTER 10

ACCESSING

YOUR MYSQL

DATABASE

233

13 7842 CH10 3/6/01 3:36 PM Page 233