How to search using keywords and checkbox list in php?

PHP
1

I am working on music website. I am not able to use the find the search code.
Structure of table is like that:
name of table: punjabiaudio
id,picture,albumane,artist,name1,code1…

My html code:
<form action=“search.php” method=“post” name=“search” align=“left_column”>
<h1>Search: <input name=“find” type=“text” “”/>
<select name=“select” name=“option”">
<option value=“artist” name=“artist”>artist</option>
<option value=“albumname” name=“albumname” >albumname</option>
<option value=“song” name=“song”>song</option>

&lt;/select&gt;
&lt;input type="hidden" name="searching" value="yes" /&gt;
  &lt;input type="button" name="search" value="GO" /&gt;

</form>

My php code:
<?php

include_once(“config.php”);

if($_SERVER[‘REQUEST_METHOD’]==‘POST’)
{
$name= $_POST[‘find’];
$option=$_POST[‘artist,albumname,song’];

			$query1="select * from punjabiaudio where upper($name) LIKE'%$find%',artist='$option'";
	
	while($result = mysql_fetch_array( $data ))

{
$path=“admin/pbiaudimages/”.$row[‘picture’];
echo"<a href=‘pbialbum.php?id=“.$row[‘albumname’].”’><img src=$path width=‘150px’ height=‘150px’></a> ";
}

	}

?>

i know that my php code is wrong.please tell me the right code its urgent.
The results should on next page.
thnx in advance

2

  1. You can’t do this : $option=$_POST[‘artist,albumname,song’];
    Each item in the $_POST array must be handled individually

  2. There’s an error in your query:

where upper($name) LIKE'%$find%',artist='$option'

Use AND instead of a comma between the WHERE conditions

  1. Don’t use user input in queries without any sanitizing to prevent sql injection.

or even better

  1. Please be aware that the mysql_* extension is now deprecated as of the current version of PHP and will very likely be removed from the next 5.x version and will likely not be in PHP 6.x (when it eventually is released). You should migrate over to either the mysqli_* extension or to PDO. PDO is a better choice as it doesn’t tie you down so much to a particular database server software.
    Once you have migrated you should use Prepared Statements to prevent SQL Injection attacks. Have a read of this article from the PHP manual, it shows how to use prepared statements with PDO and also explains the principle.
3

thank you sir.
is this right?
$query1=“select * from punjabiaudio where upper($field) LIKE’%$find%’ AND artist=‘$option1’ OR albumname=‘$option2’ OR song=‘$option3’”;
can i use ‘OR’ like this?

4