Pagination is broken #13
Description
//Prevent SQL injection by checking that $query_start is a number
if (!is_int($query_start))
$query_start = 0;
$sql = "SELECT * FROM parcels WHERE $cat_where" .
" (parcelname LIKE :text1" .
" OR description LIKE :text2)" .
$type . " ORDER BY $order parcelname" .
" LIMIT $query_start,101";
Is wrong. Don't need to test for is_int, just type cast it (int)$query_start
Big problem is the initial search from start 0 needs to include all or at least most of the search results, so the end limit should be 1000 or even higher. In order for the pagination to work if the $query_start is not 0 it needs to calculate a 100 item offset for the end of each page. Viewer will send the query start integer and we need to calc the end limit.
//Prevent SQL injection by checking that $query_start is a number
$query_start = (int)$query_start;
if ($query_start != 0 && ($query_start%100 != 0))
$query_start = 0;
$query_end = 101;
$sql = "SELECT * FROM parcels WHERE $cat_where" .
" (parcelname LIKE :text1" .
" OR description LIKE :text2)" .
$type . " ORDER BY $order parcelname" .
" LIMIT ".$query_start.",".$query_end.";";
This will make the pagination work in the viewer displaying 100 items a piece. Events, classifieds, popular places and land sales are affected by this. If you want to prevent sql injection entirely use the real_escape_string everywhere applicable or use pdo method to prep the query which will barf if there is any bad data in there.