CODEWITHSUNDEEP
phphtmlmysqlworkbench
Ereka
Ereka

Reputation: 25

Search doesn't work when there's an apostrophe

I'm trying to make an OPAC website. Everything works fine since it's mostly just selecting from the database and displaying it. I noticed that when the book title i'm trying to search has an apostrophe, it displays nothing. If the book title doesn't contain any apostrophe it all works. I'm using mysql for my database. 

<!-- {this is how i connect my datatbase} -->
<?php
include 'includes/dbh.inc.php';
?>

<!DOCTYPE <!DOCTYPE html>
<html>
<head>
    <title></title>
    <link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
<body>

<div id= "wrapper">
<a href = "index.php"><img class="cpclogo" src="cpc.png"></a>
<header>
    <h1 class="CPC"> Colegio de la Purisima Concepcion </h1>
    <h3 class="Saying"> The School of the Archdiocese of Capiz </h3>
</header>
</div>

header.php file

<?php

$dbServername = "localhost";
$dbUsername = "root";
$dbPassword = "";
$dbName = "library";

$conn = mysqli_connect($dbServername, $dbUsername, $dbPassword, $dbName);
?>

search.php file

<?php
    include 'header.php'
?>

<h1 class="searchresults">Search Results:</h1>

<div class="search-container">
    <?php
    if (isset($_POST['submit']))
    {
        $search = mysqli_real_escape_string($conn, $_POST['search']);
        $sql = "SELECT * FROM book WHERE Book_Title LIKE '%$search%' OR Author LIKE '%$search%' OR Call_Number LIKE '%$search%' OR Book_ID LIKE '%$search%'";
        $result = mysqli_query($conn, $sql);
        $queryResult = mysqli_num_rows($result);
        $search = mysqli_real_escape_string($conn, $_POST['search']);

        echo "<h3 class='resultcount'>There are ".$queryResult." results!</h3>";

        if ($queryResult > 0)
        {
            while ($row = mysqli_fetch_assoc($result))
            {
                echo "<a href='article.php?Book_Title=".$row['Book_Title']."&id=".$row['Book_ID']."&call=".$row['Call_Number']."' class= 'search-ref'><div class=search-box>
                <tr><td>".$row['Book_Title']." </td>
                <td>/ ".$row['Author']."</td>
                <p>".$row['Call_Number']."</p>
                </div></tr><br>";
            }

        }
    }
    ?>
    <input class="backbtn" type="button" value="Back" onclick="history.back(-1)" />
</div>

article.php file

<?php
    include 'header.php';
?>

<div class="article-container">

<?php
//Declairing Variables
$Author = "Authors: ";
$Edition = "Edition: ";
$Subject ="Subject: ";
$Summary = "Summary: ";
$Notes = "Notes: ";
$Publisher ="Publisher: ";
$Phys_Desc ="Physical Description: ";
$Call_Number ="Call Number: ";
$Book_ID = "Book ID: ";


$Title= mysqli_real_escape_string($conn, $_GET['Book_Title']);

$sql ="SELECT * FROM book WHERE Book_Title='$Title'";
$result = mysqli_query($conn, $sql);      
$queryResult = mysqli_num_rows($result);

if ($queryResult > 0)
while ($row = mysqli_fetch_assoc($result))
{
echo "<div class= 'article-box'>
    <h3 class='booktitle'><b>".$row['Book_Title']."</h3></b>
    <p><b>$Author</b>".$row['Author']."</p>
    <p><b>$Edition</b>".$row['Edition']."</p>
    <p><b>$Subject</b>".$row['Subject']."</p>
    <p><b>$Summary</b>".$row['Summary']."</p>
    <p><b>$Notes</b>".$row['Notes']."</p>
    <p><b>$Publisher</b>".$row['Publisher']."</p>
    <p><b>$Phys_Desc</b>".$row['Phys_Desc']."</p>
    <p><b>$Call_Number</b>".$row['Call_Number']."</p>
</div>";
}
?>
<div class="btns">
    <input class="backbtn" type="button" value="Back" onclick="history.back(-1)" />
    <button type="submit" id="copybtn" class= "copybtn">Copies</button>
</div>


<!-- POP-UP WINDOW -->
<div class="bg-modal">
    <div class="modal-content">
    <div class="close"></div>
        <table class = "table">
    <tr>
        <th>Copy</th>
        <th>Status</th>
        <th>Accession Number</th>
        <th>Call Number</th>
        <th>Location</th>
        <th>Format</th>
        <th>Cost</th>
        <th>Vendor</th>
        <th>Fund</th>
        <th>Date Acquired</th>
    </tr>
    <?php

    $id = mysqli_real_escape_string($conn, $_GET['id']);
    $call = mysqli_real_escape_string($conn, $_GET['call']);

    $sql = "SELECT Copy, Status, Accession_Number, l.Location, f.Format, Cost, Vendor, u.Fund, Date_Acq
    FROM copy c
    INNER JOIN location l ON l.Location_Acronym = c.Location
    INNER JOIN format f ON f.Format_ID = c.Format
    INNER JOIN fund u ON u.Fund_ID = c.Fund
    WHERE Book_ID='$id'";

    $result = mysqli_query($conn, $sql);
    $queryResult = mysqli_num_rows($result);

    if ($queryResult > 0)
    {
      while ($row = mysqli_fetch_assoc($result))
      {

        echo "
        <tr><td>".$row['Copy']."</td>
        <td>".$row['Status']."</td>
        <td>".$row['Accession_Number']."</td>
        <td>".$call."</td>
        <td>".$row['Location']."</td>
        <td>".$row['Format']."</td>
        <td>₱".$row['Cost']."</td>
        <td>".$row['Vendor']."</td>
        <td>".$row['Fund']."</td>
        <td>".$row['Date_Acq']."</td></tr>
        ";
      }

    }
  ?>

 </table>
    </div>
</div>
<script src="popup.js"></script>
</body>
</html>

copies.php file

<?php
    include 'header.php'
?>

<h1 class="copyresults">Copy Results:</h1>

<div class="article-container">

<table class = "table">
    <tr>
        <th>Barcode</th>
        <th>Copy</th>
        <th>Status</th>
        <th>Location</th>
        <th>Format</th>
        <th>Vendor</th>
    </tr>
    <?php
    {
        $id = mysqli_real_escape_string($conn, $_GET['id']);

        $sql = "SELECT * FROM copy WHERE Book_ID='$id'";
        $result = mysqli_query($conn, $sql);
        $queryResult = mysqli_num_rows($result);

        if ($queryResult > 0)
        {
            while ($row = mysqli_fetch_assoc($result))
            {

                echo "
                <tr><td>".$row['Barcode']."</td>
                <td>".$row['Copy']."</td>
                <td>".$row['Status']."</td>
                <td>".$row['Location']."</td>
                <td>".$row['Format']."</td>
                <td>".$row['Vendor']."</td></tr>
                ";
            }

        }

    }
    ?>
    </table>

Upvotes: 1

Views: 510

Answers (1)

mickmackusa
mickmackusa

Reputation: 48031

I reckon there is something fishy about this:

echo "<a href='article.php?Book_Title=".$row['Book_Title']."&id=".$row['Book_ID']."&call=".$row['Call_Number']."' class= 'search-ref'><div class=search-box>...

See that your href value is wrapped in single quotes? When you click on that link, the entire querystring will be truncated at the first single quote and this is the likely culprit.

Use: urlencode() on $row['Book_Title'] if it is the only trouble maker.

echo "<a href='article.php?Book_Title=" . urlencode($row['Book_Title']) . "&id=" . $row['Book_ID'] . "&call=".$row['Call_Number'] . "' class= 'search-ref'><div class=search-box>...

Or this might make your code more attractive (certainly more robust):

$data = [
    'Book_Title' => $row['Book_Title'],
    'id' => $row['Book_ID'],
    'call' => $row['Call_Number']
];
echo "<a href='article.php?" . http_build_query($data) . "' class='search-ref'><div class=search-box>...

Upvotes: 1

Related Questions