Data from a form post or url parameters is held in the $_POST or $_GET array (in the case of a form decided by the form method <form method="post>)
You should clean this data prior to placing in any function or database query. Some simple functions:
<?php
// data from form is in post array
$searchString = $_POST['searchterm'];
// check that the value is not balnk
if(strlen(trim($searchString))) {
// remove any injected html
$searchString = strip_tags(trim($searchString));
// perform search query and escape variable
$result = mysql_query("SELECT * FROM tablename WHERE x LIKE '".mysql_real_escape_string($searchString)."%'");
print "Your search for: ".$searchString." returned ".mysql_num_rows($searchString)." results";
}
else {
print "Please enter a valid search term";
}
?>
