Searchbox with suggestions

DarkViper · February 02, 2010, 01:56:00 AM

i can give you a 'quick&dirty' solution:


$queryString = $_POST['queryString'];
if( preg_match('/;|UPDATE|DROP|DELETE|ALTER|\<SCRIPT.*\>|eval\(/si', $queryString)
{
    echo '&nbsp;&nbsp;&nbsp;Forbidden Request!!'; 
}
else
{
....

HTML-Entities are not the problem...except "<script...>...</script>. At max they can destroy the design for one view, nothing more. But you must proof that no modified or extended SQL-Statement can be executed. Much important: NEVER a semicolon should appear in the LIKE-clause. It would cancel the current SQL query and possibly execute others, which was added after the semicolon.

crnogorac081 · February 02, 2010, 01:44:32 AM

Ok,

if I replace

$queryString = $_POST['queryString'];

with

$queryString = htmlspecialchars($_POST['queryString'], ENT_QUOTES);

did I solved the problem ?

crnogorac081 · February 02, 2010, 01:23:28 AM

I am not a coder, could you please help how to improve this from hacking ?

DarkViper · February 02, 2010, 01:10:37 AM

The module works as planned.

Yet here I am forced to issue a Security Warning!

The script 'suggestion.php' is insecure and an optimal target for SQL-Injections.
Each only halfway decent hacker, is thus in a position to change the database or delete them completely.

@ crnogorac081:: Please revise the parameter passing, so that no more undesirable values can reach the script.
already done..

Werner
( QA-Team )

crnogorac081 · January 29, 2010, 09:52:20 PM

lol I misspelled it

but Im glad it works and that you liked it

I also added some opacity on demo site

= I corrected one g

seagull · January 29, 2010, 09:34:40 PM

Used the code and the droplet, works ok!

First i overlooked the one "g" in the filename sugestion.php, i saved it first as suggestion.php
But for the rest, nice job.

Jan

pcwacht · January 29, 2010, 08:25:14 PM

Demo looks neat

Will sure have a look at it.
Thanks.

John

crnogorac081 · January 29, 2010, 07:32:58 PM

Hi,

here is tutorial how to make a seaarch box with suggestions

Requires: JQuery

First, take a look at the demo , try the search..

I used page_title for sugestions, but you can use any field you want.. For example if you populate keywords, or description fields for each(or some) pages, you can generate sugestions based on those fields..

How to make it:
1. Make a new php file in your root and name it suggestion.php and insert this code:

Quote
<?php
// First we prevent direct access
if(!isset($_POST['queryString'])) {
// nowwe redirect to index, if you are in subfolder use ../index.php
header( 'Location: index.php' ) ;
} else {
// Now we set the path to config file
require('config.php');

global $database;
global $wb;

if(isset($_POST['queryString'])) {

// $queryString = $_POST['queryString'];
$queryString = htmlspecialchars($_POST['queryString'], ENT_QUOTES);

// I used page_title field from pages. you can set or remove limit -- max number of sugestions
$query = $database->query("SELECT * FROM `".TABLE_PREFIX."pages` WHERE `page_title` LIKE '%$queryString%' LIMIT 20");
if($query->numRows() < 1) {
// replace this text with: there is no suggestion, or whaatever
echo '   No suggestions';
} else {
// now we can add some text like Here are suggestions
echo '<span style="display:block; font-weight: bold; font-size: 80%; padding: 5px 5px; text-decoration: underline;">Suggestions:</span>';
// now we loop thrue suggestions. style list via droplet
echo '<ul>';
while ($result = $query->fetchRow()) {
$filename = str_replace(' ', '', strtolower($result['description']));
echo '<li onClick="fill(\''.addslashes($result['description']).'\');"><a href="'.WB_URL.PAGES_DIRECTORY.$result['link'].PAGE_EXTENSION.'">'.$result['page_title'].'</a></li>';
}
echo '</ul>';
}
}
} // this ends else statement from the top of the page
?>

NOTE: 7th line from below is to long.. So when you copy-paste code you will get PAGES_DIRE C TORY, so you need to remove space in DIRECTORY word..
2. Make a droplet [[search]] (or name it whatever if you already have this droplet):

Quote
global $TEXT;
$return_value = " ";
if(SHOW_SEARCH) {
$scripta = "\n".'<script type="text/javascript">'."\n";
$scripta .= ' function lookup(inputString) { '."\n";
$scripta .= ' if(inputString.length < 1) { '."\n"; // after how menu letters script will react
$scripta .= ' $(\'#suggestions\').hide(); '."\n";
$scripta .= ' } else { '."\n";
$scripta .= ' $.post("'.WB_URL.'/suggestion.php", {queryString: ""+inputString+""}, function(data){ '."\n";
$scripta .= ' if(data.length > 0) { '."\n";
$scripta .= ' $(\'#suggestions\').show(); '."\n";
$scripta .= ' $(\'#autoSuggestionsList\').html(data); '."\n";
$scripta .= ' } '."\n";
$scripta .= ' }); '."\n";
$scripta .= ' } '."\n";
$scripta .= ' } '."\n";
$scripta .= ' function fill(thisValue) { '."\n";
$scripta .= ' $(\'#inputString\').val(thisValue); '."\n";
$scripta .= ' setTimeout("$(\'#suggestions\').hide();", 200); '."\n";
$scripta .= ' } '."\n";
$scripta .= '</script> '."\n";
$scripta .= '<style type="text/css">'."\n";
$scripta .= '.suggestionsBox { '."\n";
$scripta .= ' position: relative; '."\n";
$scripta .= ' left: 80px; '."\n";
$scripta .= ' margin: 0px 0px 0px 0px; '."\n";
$scripta .= ' width: 170px; '."\n";
$scripta .= ' background-color: #fff; '."\n";
$scripta .= ' -moz-border-radius: 7px; '."\n";
$scripta .= ' -webkit-border-radius: 7px; '."\n";
$scripta .= ' border: 2px solid #424242; '."\n";
$scripta .= ' color: #333; '."\n";
$scripta .= '} '."\n";
$scripta .= '.suggestionList ul { '."\n";
$scripta .= ' margin: 0px; '."\n";
$scripta .= ' padding: 0px; '."\n";
$scripta .= ' list-style-type: none; '."\n";
$scripta .= '} '."\n";
$scripta .= '.suggestionList li { '."\n";
$scripta .= ' margin: 0px 0px 3px 0px; '."\n";
$scripta .= ' padding: 3px; '."\n";
$scripta .= ' cursor: pointer; '."\n";
$scripta .= '} '."\n";
$scripta .= '.suggestionList li:hover { '."\n";
$scripta .= ' background-color: #f3f3f3; '."\n";
$scripta .= '} '."\n";
$scripta .= '</style> '."\n";

$wb_page_data = str_replace('</head>',$scripta."\n".'</head>', $wb_page_data );

$return_value = '<form id="searchform" action="'.WB_URL.'/search/index'.PAGE_EXTENSION.'" method="post" >';
$return_value .= '<input class="button" name="dugme" type="submit" value=" " />';
$return_value .= '<input class="text" type="text" name="string" id="inputString" onkeyup="lookup(this.value);" onblur="fill();" /> ';
$return_value .= '</form>';
$return_value .= '<div class="suggestionsBox" id="suggestions" style="display: none;">';
$return_value .= ' <div class="suggestionList" id="autoSuggestionsList">';
$return_value .= ' </div>';
$return_value .= '</div>';
}
return $return_value;

You can restyle list with css inside droplet.

There are a lot of comments if you want to use this module for some other projects..

If you put suggestion.php file inside some folder, you must change path to config.php file in suggestion.php file, and the path to suggestion.php file inside droplet..

Comments are welcome
have fun

News:

Searchbox with suggestions