<?php
require_once('../../includes/connection.php');
if (isset($_GET['search'])) {
$conn = dbConnect('read');
$searchterm = '%' . $conn->real_escape_string($_GET['search']) . '%';
//$searchterm = '%' . $_GET['search'] . '%'; //testing NOT USING: real_escape_string use basin's in search
$sql = "SELECT * FROM php_a04_images WHERE caption LIKE '$searchterm'";
// echo $sql; exit(); //testing NOT USING: real_escape_string use basin's in search
$result = $conn->query($sql) or die($conn->error);
$numRows = $result->num_rows;
}
$tools = true;
include("../../includes/header.php");
?>
<main>
<h2><?php echo $folder_name; ?><span><?php echo $file_name; ?></span></h2>
<h2>All SQL that uses user supplied values must be sanitized.</h2>
<ul>
<li><a href="https://xkcd.com/327/">Little Bobby Tables</a></li>
<li><a href="https://www.w3schools.com/sql/sql_injection.asp">W3 Schools Intro to SQL Injection.</a></li>
</ul>
<form method="get">
<fieldset>
<legend><?php echo $file_name; ?></legend>
<ol>
<li>
<label for="search"></label>
<input type="text" name="search" id="search">
</li>
<li>
<input type="submit" name="go" id="go" value="Search">
</li>
</ol>
</fieldset>
</form>
<?php if (isset($numRows)) { ?>
<p>Number of results for <b><?php echo htmlentities($_GET['search'], ENT_COMPAT, 'utf-8'); ?></b>: <?php echo $numRows; ?></p>
<?php if ($numRows) { ?>
<table>
<tr>
<th scope="col">image_id</th>
<th scope="col">filename</th>
<th scope="col">caption</th>
</tr>
<?php while ($row = $result->fetch_assoc()) { ?>
<tr>
<td><?php echo $row['image_id']; ?></td>
<td><?php echo $row['filename']; ?></td>
<td><?php echo $row['caption']; ?></td>
</tr>
<?php } ?>
</table>
<?php }
} ?>
</main>
<?php
# The side-bar section of the layout use custom path to load from a different folder.
include("../../includes/sidebar.php");
# The footer section of the layout.
include("../../includes/footer.php");
?>