ssherar · December 20, 2015 07:49
diff --git a/item.php b/item.php
 <?php

 //retrieve the id from the GET variable
 $ref = $_GET['ref'];

 //Why do all the work if $ref is empty?!
 // I think a redirect to index should be good enough
 if($ref == NULL || count($ref) == 0) {
  "<meta http-equiv='refresh' content='0; url=index.php' />";
 }

 //Lets stop those horrific SQL injections and such, shall we?
 //We do this by making sure that any bad symbols, such as <, >, = etc
 //are escaped, and will not effect the query in hand!
 mysql_real_escape_string(htmlentites($ref));

 // start up the query
 $conn = mysqli_connect($host,$user,$pass,$database);

 // Get the data
 $result = mysqli_query("SELECT* FROM student_food WHERE Ref = '{$ref}' LIMIT 1", $conn);

 // Lets echo out this delicious data

 echo $result["Name"];
 /*
 ...
 */

 //Clean up on aisle #3
 mysqli_close($conn);
 ?>
diff --git a/list.php b/list.php
 <?php

 $conn = mysqli_connect($host,$user,$pass,$database);
 $result = mysqli_query($conn, "SELECT * FROM student_food WHERE (Ingredients LIKE '%$text1%') && (Ingredients LIKE '%$text2%') && (Ingredients LIKE '%$text3%') ");
 echo "<table border='1'>";
 echo "<th>Ref</th><th>Image</th><th>Name</th><th>Description</th>\n";
 while ($b = mysqli_fetch_array($result)) {
 	echo "<tr>";
 	echo "<td>" . $b["Ref"] . "</td>";
    	echo "<td>" . $b["Image"] . "</td>";
 	$anchorString = "<a href='item.php?id={$b['Ref']}'>{$b['Name']}</a>";
 	echo "<td>" . $anchorString . "</td>";
 	echo "<td>" . $b["Description"] . "</td>";
        echo "</tr>";
 }
 echo "</table>\n";
 ?>
	<?php

	//retrieve the id from the GET variable
	$ref = $_GET['ref'];

	//Why do all the work if $ref is empty?!
	// I think a redirect to index should be good enough
	if($ref == NULL \|\| count($ref) == 0) {
	"<meta http-equiv='refresh' content='0; url=index.php' />";
	}

	//Lets stop those horrific SQL injections and such, shall we?
	//We do this by making sure that any bad symbols, such as <, >, = etc
	//are escaped, and will not effect the query in hand!
	mysql_real_escape_string(htmlentites($ref));

	// start up the query
	$conn = mysqli_connect($host,$user,$pass,$database);

	// Get the data
	$result = mysqli_query("SELECT* FROM student_food WHERE Ref = '{$ref}' LIMIT 1", $conn);

	// Lets echo out this delicious data

	echo $result["Name"];
	/*
	...
	*/

	//Clean up on aisle #3
	mysqli_close($conn);
	?>
	<?php

	$conn = mysqli_connect($host,$user,$pass,$database);
	$result = mysqli_query($conn, "SELECT * FROM student_food WHERE (Ingredients LIKE '%$text1%') && (Ingredients LIKE '%$text2%') && (Ingredients LIKE '%$text3%') ");
	echo "<table border='1'>";
	echo "<th>Ref</th><th>Image</th><th>Name</th><th>Description</th>\n";
	while ($b = mysqli_fetch_array($result)) {
	echo "<tr>";
	echo "<td>" . $b["Ref"] . "</td>";
	echo "<td>" . $b["Image"] . "</td>";
	$anchorString = "<a href='item.php?id={$b['Ref']}'>{$b['Name']}</a>";
	echo "<td>" . $anchorString . "</td>";
	echo "<td>" . $b["Description"] . "</td>";
	echo "</tr>";
	}
	echo "</table>\n";
	?>