Searchbox with suggestions

crnogorac081 · September 23, 2011, 12:08:52 AM

Hi,

I have this code in /search/search_convert.php to show special chars in local language in standard search, and it works ok.

Code Select


	$t["š"] = array("š", "s");
	$t["s"] = array("š", "s");
	$t["đ"] = array("đ", "dj");
	$t["dj"] = array("đ", "dj");
	$t["č"] = array("č", "c");
	$t["c"] = array("č", "ć");
	$t["ć"] = array("c", "ć");
	$t["ž"] = array("ž", "z");
	$t["z"] = array("ž", "z");

In search suggestion SQL I have this code which works ok :

Code Select


$database->query("SELECT * FROM `".TABLE_PREFIX."pages` WHERE `page_title` LIKE '%$queryString%' LIMIT 20");

What I need is help to combine these two..could someone give me a hint or help ?

for example it title is: my name is saša , if I type both sasa or saša to work.

cheers,
Ivan

crnogorac081 · July 28, 2011, 05:17:34 PM

Hi, create me a temp admin account and send me to PM, I will take a look

nuke · July 27, 2011, 05:15:24 PM

Thanks for your prompt response crnogorac081. Apologies in advance, I'm probably missing something obvious, but I can't seem to get that code to work.

I tried replacing the line you mentioned with the following:

Code Select

$query = $database->query("SELECT * FROM `".TABLE_PREFIX."pages` WHERE `language` = '".LANGUAGE."' `page_title` LIKE '%$queryString%' LIMIT 20");

And it didn't work, so I thought maybe I have to specify the language, so I tried:

Code Select

$query = $database->query("SELECT * FROM `".TABLE_PREFIX."pages` WHERE `FR` = '".LANGUAGE."' `page_title` LIKE '%$queryString%' LIMIT 20");

then tried:

Code Select

$query = $database->query("SELECT * FROM `".TABLE_PREFIX."pages` WHERE `language` = '"FR"' `page_title` LIKE '%$queryString%' LIMIT 20");

then:

Code Select

$query = $database->query("SELECT * FROM `".TABLE_PREFIX."pages` WHERE `language` = '".FR."' `page_title` LIKE '%$queryString%' LIMIT 20");

As you can tell I'm not a programmer =/, can you provide some assistance?

So I'm assuming there is no way to limit the suggestions based on the sub directory? I'll have to go through my multi-lang site and make sure each page has the correct specified language (in the meantime I've set a few sections to French... I have a fairly large site and was hoping there would be another way)

Thanks,
-Mike

crnogorac081 · July 26, 2011, 11:13:05 PM

Hi,

try to replace

Code Select


$query = $database->query("SELECT * FROM `".TABLE_PREFIX."pages` WHERE `page_title` LIKE '%$queryString%' LIMIT 20");
WITH
$query = $database->query("SELECT * FROM `".TABLE_PREFIX."pages` WHERE `language` = '".LANGUAGE."' `page_title` LIKE '%$queryString%' LIMIT 20");

in php file..
cheers

nuke · July 25, 2011, 11:08:23 PM

Very cool - is there any way to limit the suggestions to a certain sub dir:
e.g. for my multilingual site I use the search_path value as /en/ to limit the search to just my English section, and do the same with my Spanish /es/ etc

(More info here:
https://forum.websitebaker.org/index.php/topic,10058.msg59052.html#msg59052 )

How would I go about limiting the suggestions in a similar fashion? Thanks in advance,

-Michael

crnogorac081 · May 03, 2010, 08:58:55 PM

Hi,

the links use your standard link color from your css. If you want other color, you will have to style .suggestionList class

cheers

VSG · May 03, 2010, 08:52:56 PM

One more question: is there a way to define a color for your suggestions? I can't seem to find it. Was able to define most of the colors though ...

Thanks in advance for any tip!
Best regards,
VSG

VSG · May 03, 2010, 08:24:25 PM

Thanks, that did the trick!

Now I just have to customize it to blend it in with the website as my standard-search ...

Great idea!

Thanks again and best regards,
VSG

crnogorac081 · May 02, 2010, 09:40:02 PM

Hi mate,

there are no limitations regarding page visibility.

Regarding your issue (I forgot to mention, now I did in first post..), please add this line:

<script type="text/javascript" src="<?php echo WB_URL; ?>/include/jquery/jquery-min.js"></script>

into your template's header.

all best,
Ivan

VSG · May 02, 2010, 05:37:13 PM

As much as I like the concept of it and the demo on your site, I can't get it to work.
although I simply copied your code (and corrected the DIREC TORY mishap) it wouldn't show any suggestions.

The java-error-console gives the following report:

Code Select

Uncaught exception: ReferenceError: Undefined variable: $
Error thrown at line 6, column 4 in lookup(inputString) in http://MYSITE/pages/forum2.php:
    $.post("http://MYSITE/suggestion.php", {queryString: ""+inputString+""}, function(data){    
called from line 1, column 0 in <anonymous function>(event):
    lookup(this.value);

MYSITE stands for my correct website-address.
Any ideas? I'd really like to make this work. By the way, does it work if all the pages are hidden? (Not private, just hidden.)

You can look for yourself here.
Thanks in advance!
Best regards,
VSG

crnogorac081 · April 29, 2010, 09:30:05 AM

Hi Klaus,

I copy-pasted the code and because of code container width text was braked..

Thanks for letting other know if droplet error appears..

cheers

kweitzel · April 29, 2010, 06:46:34 AM

QuotePAGES_DIREC TORY

looks like it should be:

Code Select

PAGES_DIRECTORY

cheers

Klaus

snark · April 28, 2010, 10:51:44 PM

when I put the code from the first post into a droplet I get a red droplet ...

finrodfelegund · March 30, 2010, 02:18:34 AM

i got error here:
echo '<li onClick="fill(\''.addslashes($result['description']).'\');"><a href="'.WB_URL.PAGES_DIREC TORY.$result['link'].PAGE_EXTENSION.'">'.$result['page_title'].'</a></li>';

i think there is something wrong with the url:
href="'.WB_URL.PAGES_DIREC TORY.$result['link'].PAGE_EXTENSION.'"

donno whats that DIREC TROY

hmm

i removed DIREC TROY and i get a weird redirection to pages:
http://dorohoinews.ro/pages/reducere-a-impozitului.php
take a look

i am trying your jq script also

in the end i did a ugly hack of the code:
echo '<li onClick="fill(\''.addslashes($result['description']).'\');"><a href="'.WB_URL.'/pages'.$result['link'].PAGE_EXTENSION.'">'.$result['page_title'] .'</a></li>';

this seem to work for me - for the moment

if someone could tell me whats wrong there i will be happy.
Now only problem is that the list its not going above the page

crnogorac081 · March 30, 2010, 01:58:59 AM

Hi,

I got no erors, it is working stable, see the demo. Are you sure the code is copied well?

cheers

finrodfelegund · March 29, 2010, 11:58:06 PM

i get this error , does anyone can help me. also if anyone can post the final look of the script with the security added!
Parse error: syntax error, unexpected T_STRING, expecting ',' or ';' in /home/coldhost/public_html/dorohoinews.ro/suggestion.php on line 30

thanks!!

crnogorac081 · February 04, 2010, 10:08:50 PM

[[refresh]]

crnogorac081 · February 03, 2010, 12:04:45 PM

Also I tried this code to add slashes to DB call:

Code Select


// Include WB functions file
        require_once(WB_PATH.'/framework/functions.php');

AND THEN:

$queryString = $wb->add_slashes($_POST['queryString']);

but then script want work.. does anyone know why ?

crnogorac081 · February 02, 2010, 11:25:38 AM

ok, but what if I have page_title named: Update or Updated, Alter Ego, or any word containing UPDATE, DROP, DELETE, ALTER or SCRIPT..

will your code print: Forbiden request ?

DarkViper · February 02, 2010, 11:18:38 AM

Quote from: crnogorac081 on February 02, 2010, 10:12:05 AM
'\';DELETE FROM `ul_pages`;';
into searchbox, and table is still there so there is no SQL hack..

This was an extremely simple try... be sure, there are much more posibillities...

last night i posted a first solution for your prob..

crnogorac081 · February 02, 2010, 10:49:49 AM

@doc

Will this code: $queryString = htmlspecialchars($_POST['queryString'], ENT_QUOTES); work to prevent DB hack on servers where magic quotes are disabled ?

If this code want work, please point me to the right direction..

doc · February 02, 2010, 10:14:57 AM

@crnogorac081: Most likely because your server has magic_quotes_gpc enabled. This option automatically escapes critical characters from get, post, cookie array. Servers without this setting however would be vulnerable to the SQL injection posted by DarkViper.

Doc

crnogorac081 · February 02, 2010, 10:12:05 AM

Well I just tested your quoery on my live site and inserted this :

'\';DELETE FROM `ul_pages`;';

into searchbox, and table is still there

so there is no SQL hack..

But, yestrday I added htmlspecialchars func. to

$queryString = htmlspecialchars($_POST['queryString'], ENT_QUOTES);

So now it is ok for general use ?

DarkViper · February 02, 2010, 02:25:37 AM

Example for a SQL-Injection:

original query (after replace variables)
$queryString = 'dingdong';
SELECT * FROM `wb1_pages` WHERE `page_title` LIKE '%dingdong%' LIMIT 20")

a injected query:

$queryString = '\';DELETE FROM `wb1_pages`;';
SELECT * FROM `wb1_pages` WHERE `page_title` LIKE '%';DELETE FROM `wb1_pages`;%' LIMIT 20")

try this.. and your pages-table will be empty..

crnogorac081 · February 02, 2010, 02:05:17 AM

cool tnx,

but will this also prevent attack ?

$queryString = htmlspecialchars($_POST['queryString'], ENT_QUOTES);

I belive with this code you cant modify SQL request as it will dissable special character, right ?

News:

Searchbox with suggestions

snark

finrodfelegund

finrodfelegund

doc