With thanks to @Dormilich and @spaceshiptrooper I done some work to use prepared statements on a fairly complex Query in my opinion anyway. I was looking at this and wondering if there was a simpler way of doing this or even a way to use less code. This has been a learning experience for me and hopefully my search page will now be absolutely injection proof.
Also if someone can point me at a method of putting up a message if the search has ho results, PDO seems to not work with some of the “solutions” out there
<?
$s1 = $_REQUEST["search1"];
$s2 = (explode(" ",$s1));
include ("navigation/constants.php");
foreach ($s2 as $s2b => $s2a)
{
If ($s2b < '1') {
$s2c = "SELECT blog_name,blog_url, blog_img, blog_desc FROM blogs WHERE blog_text LIKE ? ";
}
If ($s2b > '0') {
$s2c = $s2c."AND blog_text LIKE ? ";
}
}
$s2c = $s2c." ORDER by blog_id DESC ";
$sqls= $pdo->prepare($s2c);
foreach ($s2 as $s2b => $s2a)
{
If ($s2b < '1') {
$s2c1 = $s2b + 1;
$s2a1 = "%".$s2a."%";
$sqls->bindParam($s2c1,$s2a1);
}
If ($s2b > '0') {
$s2c1 = $s2b + 1;
$s2a1 = "%".$s2a."%";
$sqls->bindParam($s2c1,$s2a1);
}
}
$sqls->execute();
while ($row = $sqls->fetch(PDO::FETCH_ASSOC)) {
$k1 = htmlentities($row['blog_name']);
$k2 = htmlentities($row['blog_url']);
$k3 = htmlentities($row['blog_img']);
$k4 = htmlentities($row['blog_desc']);
echo "<div id=\"block1\"><div id=\"suba\"><h2>".$k1."</h2> <a href=\"../blog/".$k2.".html\"><img src=\"../img/".$k3."\" width=\"98%\" align=\"left\" ></a><div id=\"subat\">".$k4." <a href=\"../blog/".$k2.".html\">more about ".$k1."</a></div></div></div>";
}
?>