Two Search Fields (One a drop down list) - PHP & MYSQL Code

I really would like some help on this as I'm pulling hair out!!! I have two fields, one being an input box & the other being a drop down list which search the database and display the results, however I cannot seem to figure it out...here is what I have so far...

This is the actual search form:

<form id="myform" name="myform" action="<?php echo $_SERVER['PHP_SELF']?>"             method="get"><br />
<div class="T1"><br /><p></div> &nbsp;&nbsp;<input name="term" type="text" value="<?    php echo $_GET['searched']; ?>" size="10" maxlength="4" placeholder="e.g.     BS1"/> 
<select>
  <option value="">I feel like...</option>
  <option value="">Anything</option>
  <option value="Indian">Indian</option>
  <option value="Chinese">Chinese</option&开发者_StackOverflowgt;
  <option value="Thai">Thai</option>
</select>
<input type="submit" name="submit" value="Go"/>
</form>

And this is the PHP code:

<?php

if (isset($_GET['submit'])){
mysql_connect ("host", "user","password")  or die (mysql_error());
mysql_select_db ("database");
$term = $_GET['term'];  
$term = $_GET['option value'];  

}

else

$sql = mysql_query("select pagetitle from Restaurant where extra like '%$term%' and     showing like '1'"); 
$sql = mysql_query("select cuisine from Restaurant where cuisine like 'option value'     and showing like '1'"); 

echo Restaurants in $term and Cuisine $option value:";


}

while ($row = @mysql_fetch_array($sql)){
    echo ''.$row['pagetitle'];
    echo '<br/>';

}

}

?>

The database has a table called Restaurant with two coloumns, one called 'Extra' which contains the postcode & the other called 'Cuisine' which containts the cuisine. I would like it to return a list of restaurants that match both 'Extra' and 'Cuisine' Any help will be greatly appretiated.

• Echoing $_SERVER['PHP_SELF'] or $_GET['searched'] anywhere in your script (even in the form action) will open your site up to XSS attacks. Do not do this unless you sanitize them first.

• For all new projects, it is recommended to use prepared statements for mysql queries. You can do this with either mysqli or PDO. Your code is just asking for SQL injection by the looks of what you are trying to do.

• You are missing a bracket in your code and you have some extra ones at the end. Also after echo you're missing a quotation mark. I'm not sure what's going on there. Try to get those fixed.

• What is with the @ before mysql_fetch_array() ? There are really very few cases where @ should ever be used in PHP. It is usually an indicator that there is some sort of error somewhere in your code that should be fixed instead of suppressed.

• Your needs a name attribute if you want to be able to use it in PHP.

• In your SQL query, you should not be using LIKE when you should be using equals. Also, you should not quote integers.

• Why are you echoing an empty string like echo ''.$somevar; ? Just echo the variable.

I'm not sure what "showing" is for but I assume is a record that can be displayed. The first thing to do is update your query:

$sql = mysql_query("select pagetitle, cuisine from Restaurant where (extra like '%$term%') and     (showing like '1') and (cuisine like 'option value')");

You also need to check if the user did not enter an option or selected 'anything' in which case the query needs to be changed a little:

$sql = mysql_query("select pagetitle, cuisine from Restaurant where (extra like '%$term%') and     (showing like '1') and (cuisine like 'option value' or 'option value' = '')");