From e85c7fd57887124dd64be1d125f8b393fc6e096d Mon Sep 17 00:00:00 2001
From: Daniel Messer <cyberpunklibrarian@protonmail.com>
Date: Wed, 8 Oct 2025 15:40:14 -0500
Subject: [PATCH] Security and functional improvements to results.php

---
 archive/results-old.php | 381 +++++++++++++++++++++++++++++++++++
 results.php             | 437 ++++++++++++++++++++--------------------
 2 files changed, 602 insertions(+), 216 deletions(-)
 create mode 100644 archive/results-old.php

diff --git a/archive/results-old.php b/archive/results-old.php
new file mode 100644
index 0000000..af793c9
--- /dev/null
+++ b/archive/results-old.php
@@ -0,0 +1,381 @@
+<?php
+
+include_once "settings.php";
+
+// Get and use a basic title search for pulling records.
+$keywordsearch = htmlspecialchars($_GET["kw"]);
+$authorsearch = htmlspecialchars($_GET["au"]);
+$typesearch = htmlspecialchars($_GET["ty"]);
+$subtypesearch = htmlspecialchars($_GET["st"]);
+$seriessearch = htmlspecialchars($_GET["se"]);
+$subjectsearch = htmlspecialchars($_GET["su"]);
+
+$socialkw = mb_convert_case($keywordsearch, MB_CASE_TITLE, "UTF-8");
+$socialau = mb_convert_case($authorsearch, MB_CASE_TITLE, "UTF-8");
+$socialty = mb_convert_case($typesearch, MB_CASE_TITLE, "UTF-8");
+$socialst = mb_convert_case($subtypesearch, MB_CASE_TITLE, "UTF-8");
+$socialse = mb_convert_case($seriessearch, MB_CASE_TITLE, "UTF-8");
+$socialsu = mb_convert_case($subjectsearch, MB_CASE_TITLE, "UTF-8");
+
+if (!empty($keywordsearch)) {
+	$searchtopic = 'Keyword: '.$socialkw;
+} elseif (!empty($authorsearch)) {
+	$searchtopic = 'Author: '.$socialau;
+} elseif (!empty($typesearch))  {
+	$searchtopic = 'Type: '.$socialty;
+} elseif (!empty($seriessearch)) {
+	$searchtopic = 'Series: '.$socialse;
+} elseif (!empty($subjectsearch)) {
+	$searchtopic = 'Subject: '.$socialsu;
+} else {
+	$searchtopic = 'Subtype: '.$socialst;
+}
+
+// -------------------- BEGIN DATABASE QUERIES --------------------
+
+// Establish atabase connection
+$db = new SQLite3('metadata.sqlite');
+
+$keywordquery = $db->query("SELECT
+DISTINCT books.id AS id,
+books.title AS title,
+SUBSTR(comments.text,0,120) AS excerpt
+FROM books
+INNER JOIN
+comments ON comments.book = books.id
+INNER JOIN
+books_tags_link ON books_tags_link.book = books.id
+INNER JOIN
+tags ON tags.id = books_tags_link.tag
+WHERE books.title LIKE '%$keywordsearch%'
+OR books.author_sort LIKE '%$keywordsearch%'
+OR comments.text LIKE '%$keywordsearch%'
+OR tags.name LIKE '%$keywordsearch%'
+ORDER BY books.title ASC");
+
+$authorquery = $db->query("SELECT
+DISTINCT books.id AS id,
+books.title AS title,
+SUBSTR(comments.text,0,120) AS excerpt
+FROM books
+INNER JOIN
+comments ON comments.book = books.id
+INNER JOIN
+books_tags_link ON books_tags_link.book = books.id
+WHERE books.author_sort LIKE '%$authorsearch%'
+ORDER BY books.title ASC");
+
+$typequery = $db->query("SELECT
+DISTINCT books.id AS id,
+books.title AS title,
+SUBSTR(comments.text,0,120) AS excerpt
+FROM books
+INNER JOIN
+comments ON comments.book = books.id
+INNER JOIN
+books_custom_column_1_link ON books_custom_column_1_link.book = books.id
+INNER JOIN
+custom_column_1 ON custom_column_1.id = books_custom_column_1_link.value
+WHERE
+custom_column_1.value = '$typesearch'
+ORDER BY books.title ASC");
+
+$subtypequery = $db->query("SELECT
+DISTINCT books.id AS id,
+books.title AS title,
+SUBSTR(comments.text,0,120) AS excerpt
+FROM books
+INNER JOIN
+comments ON comments.book = books.id
+INNER JOIN
+books_custom_column_3_link ON books_custom_column_3_link.book = books.id
+INNER JOIN
+custom_column_3 ON custom_column_3.id = books_custom_column_3_link.value
+WHERE
+custom_column_3.value = '$subtypesearch'
+ORDER BY books.title ASC");
+
+$seriesquery = $db->query("SELECT
+DISTINCT books.id AS id,
+books.title AS title,
+SUBSTR(comments.text,0,120) AS excerpt
+FROM books
+INNER JOIN
+comments ON comments.book = books.id
+INNER JOIN
+books_series_link ON books_series_link.book = books.id
+INNER JOIN
+series ON series.id = books_series_link.series
+WHERE series.name = '$seriessearch'
+ORDER BY books.series_index ASC");
+
+$subjectquery = $db->query("SELECT
+DISTINCT books.id AS id,
+books.title AS title,
+SUBSTR(comments.text,0,120) AS excerpt
+FROM books
+INNER JOIN
+comments ON comments.book = books.id
+INNER JOIN
+books_tags_link on books_tags_link.book = books.id
+INNER JOIN
+tags on tags.id = books_tags_link.tag
+WHERE tags.name = '$subjectsearch'
+ORDER BY books.title ASC");
+
+$types = $db->query("SELECT
+value
+FROM custom_column_1
+ORDER BY value ASC");
+
+$subtypes = $db->query("SELECT
+value
+FROM custom_column_3
+ORDER BY value ASC");
+
+?>
+
+
+<!DOCTYPE html>
+<!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
+<!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
+<!--[if IE 8]>         <html class="no-js lt-ie9"> <![endif]-->
+<!--[if gt IE 8]><!--> <html class="no-js"> <!--<![endif]-->
+	<head>
+	<meta charset="utf-8">
+	<meta http-equiv="X-UA-Compatible" content="IE=edge">
+	<title>Infopump - Search results - <?php echo $searchtopic; ?></title>
+	<meta name="viewport" content="width=device-width, initial-scale=1">
+	<meta name="description" content="Free HTML5 Template by FREEHTML5.CO" />
+	<meta name="keywords" content="free html5, free template, free bootstrap, html5, css3, mobile first, responsive" />
+	<meta name="author" content="FREEHTML5.CO" />
+
+  <!-- 
+	//////////////////////////////////////////////////////
+
+	FREE HTML5 TEMPLATE 
+	DESIGNED & DEVELOPED by FREEHTML5.CO
+		
+	Website: 		http://freehtml5.co/
+	Email: 			info@freehtml5.co
+	Twitter: 		http://twitter.com/fh5co
+	Facebook: 		https://www.facebook.com/fh5co
+
+	//////////////////////////////////////////////////////
+	 -->
+
+  	<!-- Facebook and Twitter integration -->
+	<meta property="og:title" content=<?php echo '"'.$SiteName.' - Search - '.$searchtopic.'" />';?>
+
+	<meta property="og:image" content=<?php echo '"'.$SiteURL.'/images/og-site-avatar.jpg" />';?>
+
+	<?php
+		if (!empty($keywordsearch)) {
+			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?kw='.$socialkw.'" />';
+			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?kw='.$socialkw.'" />';
+		} elseif (!empty($authorsearch)) {
+			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?au='.$socialau.'" />';
+			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?au='.$socialau.'" />';
+		} elseif (!empty($typesearch)) {
+			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?ty='.$socialty.'" />';
+			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?ty='.$socialty.'" />';
+		} elseif (!empty($seriessearch)) {
+			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?ty='.$socialse.'" />';
+			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?ty='.$socialse.'" />';
+		} elseif (!empty($subjectsearch)) {
+			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?ty='.$socialsu.'" />';
+			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?ty='.$socialsu.'" />';
+		} else {
+			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?ty='.$socialst.'" />';
+			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?ty='.$socialst.'" />';
+		}
+	?>
+
+	<meta property="og:site_name" content=<?php echo '"'.$SiteName.' - Search Results" />';?>
+
+	<meta property="og:description" content=<?php echo '"'.$SubName.'" />';?>
+
+	<meta name="twitter:title" content=<?php echo '"'.$SiteName.' - Search - '.$searchtopic.'" />';?>
+
+	<meta name="twitter:image" content=<?php echo '"'.$SiteURL.'/images/og-site-avatar.jpg" />';?>
+
+	
+
+	<meta name="twitter:card" content="summary" />
+
+	<!-- Place favicon.ico and apple-touch-icon.png in the root directory -->
+	<link rel="shortcut icon" href="favicon.ico">
+	<!-- Google Fonts -->
+	<link href='http://fonts.googleapis.com/css?family=Playfair+Display:400,700,400italic|Roboto:400,300,700' rel='stylesheet' type='text/css'>
+	<!-- Animate -->
+	<link rel="stylesheet" href="css/animate.css">
+	<!-- Icomoon -->
+	<link rel="stylesheet" href="css/icomoon.css">
+	<!-- Bootstrap  -->
+	<link rel="stylesheet" href="css/bootstrap.css">
+
+	<link rel="stylesheet" href="css/style.css">
+
+
+	<!-- Modernizr JS -->
+	<script src="js/modernizr-2.6.2.min.js"></script>
+	<!-- FOR IE9 below -->
+	<!--[if lt IE 9]>
+	<script src="js/respond.min.js"></script>
+	<![endif]-->
+
+	</head>
+	<body>
+	<div id="fh5co-offcanvas">
+		<a href="#" class="fh5co-close-offcanvas js-fh5co-close-offcanvas"><span><i class="icon-cross3"></i> <span>Close</span></span></a>
+		<div class="fh5co-bio">
+			<figure>
+				<a href="index.php"><img src="images/avatar.jpg" alt="Infopump Avatar" class="img-responsive"></a>
+			</figure>
+			<h3 class="heading">About the Project</h3>
+			<a href="index.php"><h2>Infopump</h2></a>
+			<p>A bibliographic management and display system.</p>
+			<hr>
+			<p>A free, open source project from:<br />
+				<a href="https://rss.com/podcasts/l0wl1f3podcast/">The L0WL1F3 Podcast</a><br />
+				<a href="https://www.neondystopia.com/">Neon Dystopia</a><br />
+				<a href="https://cyberpunklibrarian.com">Cyberpunk Librarian</a>
+			</p>
+			<ul class="fh5co-social">
+				<!--<li><a href="#"><i class="icon-twitter"></i></a></li>-->
+				<!--<li><a href="#"><i class="icon-facebook"></i></a></li>
+				<li><a href="#"><i class="icon-instagram"></i></a></li>-->
+			</ul>
+		</div>
+
+		<div class="fh5co-menu">
+			<div class="fh5co-box">
+				<h3 class="heading">Recent Additions</h3>
+				<ul>
+				<?php
+				while ($row = $types->fetchArray()) {
+					$row_value = $row['value'];
+					$row_titlecase = mb_convert_case($row_value, MB_CASE_TITLE, "UTF-8");
+					echo '<li><a href="recent.php?ty='.$row_value.'">'.$row_titlecase.'</a></li>';
+					//echo '<li>'.$row_value.'</li>';
+					
+				}
+				?>
+				</ul>
+			</div>
+			<div class="fh5co-box">
+				<h3 class="heading">Search</h3>
+				<form action="results.php" method="get">
+					<div class="form-group">
+						<input type="text" class="form-control" name="kw" placeholder="Keyword search">
+					</div>
+				</form>
+			</div>
+		</div>
+	</div>
+
+	<!-- END #fh5co-offcanvas -->
+	<header id="fh5co-header">
+		
+		<div class="container-fluid">
+
+			<div class="row">
+				<a href="#" class="js-fh5co-nav-toggle fh5co-nav-toggle"><i></i></a>
+				<!-- <ul class="fh5co-social">
+					<li><a href="#"><i class="icon-twitter"></i></a></li>
+					<li><a href="#"><i class="icon-facebook"></i></a></li>
+					<li><a href="#"><i class="icon-instagram"></i></a></li>
+				</ul> -->
+				<div class="col-lg-12 col-md-12 text-center">
+					<h1 id="fh5co-logo"><a href="index.php">Search Results<br /><br /><?php echo $searchtopic; ?></a></h1>
+				</div>
+
+			</div>
+		
+		</div>
+
+	</header>
+	<!-- END #fh5co-header -->
+	<div class="container-fluid">
+		<div class="row fh5co-post-entry single-entry">
+			<article class="col-lg-8 col-lg-offset-2 col-md-8 col-md-offset-2 col-sm-8 col-sm-offset-2 col-xs-12 col-xs-offset-0">
+				<div class="col-lg-12 col-lg-offset-0 col-md-12 col-md-offset-0 col-sm-12 col-sm-offset-0 col-xs-12 col-xs-offset-0 text-left content-article">
+					<div class="row rp-b">
+						<div class="col-md-12 animate-box">
+							<?php
+							if ($keywordsearch != '') {
+							while ($row = $keywordquery->fetchArray()) {
+								$row_id = $row['id'];
+								$row_title = $row['title'];
+								$row_excerpt = $row['excerpt'];
+							
+								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
+							}
+						} elseif ($typesearch != '') {
+							while ($row = $typequery->fetchArray()) {
+								$row_id = $row['id'];
+								$row_title = $row['title'];
+								$row_excerpt = $row['excerpt'];
+							
+								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';								
+						}
+						} elseif ($authorsearch != '') {
+							while ($row = $authorquery->fetchArray()) {
+								$row_id = $row['id'];
+								$row_title = $row['title'];
+								$row_excerpt = $row['excerpt'];
+							
+								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
+							}
+						} elseif ($seriessearch != '') {
+							while ($row = $seriesquery->fetchArray()) {
+								$row_id = $row['id'];
+								$row_title = $row['title'];
+								$row_excerpt = $row['excerpt'];
+							
+								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
+							}
+						} elseif ($subjectsearch != '') {
+							while ($row = $subjectquery->fetchArray()) {
+								$row_id = $row['id'];
+								$row_title = $row['title'];
+								$row_excerpt = $row['excerpt'];
+							
+								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
+							}
+						} else {
+							while ($row = $subtypequery->fetchArray()) {
+								$row_id = $row['id'];
+								$row_title = $row['title'];
+								$row_excerpt = $row['excerpt'];
+
+								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
+							}
+						}	
+							?>
+						</div>
+					</div>
+					
+				</div>
+			</article>
+		</div>
+	</div>
+
+	<footer id="fh5co-footer">
+	<p><small>&copy; Creative Commons By-NC-SA<br> Design by <a href="http://freehtml5.co" target="_blank">FREEHTML5.co</a></small></p>
+	</footer>
+	
+	<!-- jQuery -->
+	<script src="js/jquery.min.js"></script>
+	<!-- jQuery Easing -->
+	<script src="js/jquery.easing.1.3.js"></script>
+	<!-- Bootstrap -->
+	<script src="js/bootstrap.min.js"></script>
+	<!-- Waypoints -->
+	<script src="js/jquery.waypoints.min.js"></script>
+	<!-- Main JS -->
+	<script src="js/main.js"></script>
+
+	</body>
+</html>
+
diff --git a/results.php b/results.php
index af793c9..162c5ab 100644
--- a/results.php
+++ b/results.php
@@ -2,140 +2,200 @@
 
 include_once "settings.php";
 
-// Get and use a basic title search for pulling records.
-$keywordsearch = htmlspecialchars($_GET["kw"]);
-$authorsearch = htmlspecialchars($_GET["au"]);
-$typesearch = htmlspecialchars($_GET["ty"]);
-$subtypesearch = htmlspecialchars($_GET["st"]);
-$seriessearch = htmlspecialchars($_GET["se"]);
-$subjectsearch = htmlspecialchars($_GET["su"]);
+// Initialize variables
+$keywordsearch = '';
+$authorsearch = '';
+$typesearch = '';
+$subtypesearch = '';
+$seriessearch = '';
+$subjectsearch = '';
+$searchtopic = '';
+$searchtype = '';
 
-$socialkw = mb_convert_case($keywordsearch, MB_CASE_TITLE, "UTF-8");
-$socialau = mb_convert_case($authorsearch, MB_CASE_TITLE, "UTF-8");
-$socialty = mb_convert_case($typesearch, MB_CASE_TITLE, "UTF-8");
-$socialst = mb_convert_case($subtypesearch, MB_CASE_TITLE, "UTF-8");
-$socialse = mb_convert_case($seriessearch, MB_CASE_TITLE, "UTF-8");
-$socialsu = mb_convert_case($subjectsearch, MB_CASE_TITLE, "UTF-8");
+// Sanitize and validate input
+if (!empty($_GET["kw"])) {
+    $keywordsearch = trim($_GET["kw"]);
+    $searchtopic = 'Keyword: ' . htmlspecialchars($keywordsearch, ENT_QUOTES, 'UTF-8');
+    $searchtype = 'keyword';
+} elseif (!empty($_GET["au"])) {
+    $authorsearch = trim($_GET["au"]);
+    $searchtopic = 'Author: ' . htmlspecialchars($authorsearch, ENT_QUOTES, 'UTF-8');
+    $searchtype = 'author';
+} elseif (!empty($_GET["ty"])) {
+    $typesearch = trim($_GET["ty"]);
+    $searchtopic = 'Type: ' . htmlspecialchars(mb_convert_case($typesearch, MB_CASE_TITLE, "UTF-8"), ENT_QUOTES, 'UTF-8');
+    $searchtype = 'type';
+} elseif (!empty($_GET["st"])) {
+    $subtypesearch = trim($_GET["st"]);
+    $searchtopic = 'Subtype: ' . htmlspecialchars(mb_convert_case($subtypesearch, MB_CASE_TITLE, "UTF-8"), ENT_QUOTES, 'UTF-8');
+    $searchtype = 'subtype';
+} elseif (!empty($_GET["se"])) {
+    $seriessearch = trim($_GET["se"]);
+    $searchtopic = 'Series: ' . htmlspecialchars($seriessearch, ENT_QUOTES, 'UTF-8');
+    $searchtype = 'series';
+} elseif (!empty($_GET["su"])) {
+    $subjectsearch = trim($_GET["su"]);
+    $searchtopic = 'Subject: ' . htmlspecialchars($subjectsearch, ENT_QUOTES, 'UTF-8');
+    $searchtype = 'subject';
+}
 
-if (!empty($keywordsearch)) {
-	$searchtopic = 'Keyword: '.$socialkw;
-} elseif (!empty($authorsearch)) {
-	$searchtopic = 'Author: '.$socialau;
-} elseif (!empty($typesearch))  {
-	$searchtopic = 'Type: '.$socialty;
-} elseif (!empty($seriessearch)) {
-	$searchtopic = 'Series: '.$socialse;
-} elseif (!empty($subjectsearch)) {
-	$searchtopic = 'Subject: '.$socialsu;
-} else {
-	$searchtopic = 'Subtype: '.$socialst;
+// If no valid search parameter, redirect to index
+if (empty($searchtype)) {
+    header('Location: index.php');
+    exit;
 }
 
 // -------------------- BEGIN DATABASE QUERIES --------------------
 
-// Establish atabase connection
-$db = new SQLite3('metadata.sqlite');
+// Establish database connection
+try {
+    $db = new SQLite3('metadata.sqlite');
+    $db->enableExceptions(true);
+} catch (Exception $e) {
+    error_log("Database connection error: " . $e->getMessage());
+    die("Database connection failed");
+}
 
-$keywordquery = $db->query("SELECT
-DISTINCT books.id AS id,
-books.title AS title,
-SUBSTR(comments.text,0,120) AS excerpt
-FROM books
-INNER JOIN
-comments ON comments.book = books.id
-INNER JOIN
-books_tags_link ON books_tags_link.book = books.id
-INNER JOIN
-tags ON tags.id = books_tags_link.tag
-WHERE books.title LIKE '%$keywordsearch%'
-OR books.author_sort LIKE '%$keywordsearch%'
-OR comments.text LIKE '%$keywordsearch%'
-OR tags.name LIKE '%$keywordsearch%'
-ORDER BY books.title ASC");
+// Prepare the appropriate query based on search type
+$results = null;
 
-$authorquery = $db->query("SELECT
-DISTINCT books.id AS id,
-books.title AS title,
-SUBSTR(comments.text,0,120) AS excerpt
-FROM books
-INNER JOIN
-comments ON comments.book = books.id
-INNER JOIN
-books_tags_link ON books_tags_link.book = books.id
-WHERE books.author_sort LIKE '%$authorsearch%'
-ORDER BY books.title ASC");
+switch ($searchtype) {
+    case 'keyword':
+        $searchPattern = '%' . $keywordsearch . '%';
+        $stmt = $db->prepare("SELECT
+            DISTINCT books.id AS id,
+            books.title AS title,
+            SUBSTR(comments.text, 0, 120) AS excerpt
+            FROM books
+            INNER JOIN comments ON comments.book = books.id
+            INNER JOIN books_tags_link ON books_tags_link.book = books.id
+            INNER JOIN tags ON tags.id = books_tags_link.tag
+            WHERE books.title LIKE :search
+            OR books.author_sort LIKE :search
+            OR comments.text LIKE :search
+            OR tags.name LIKE :search
+            ORDER BY books.title ASC
+            LIMIT 100");
+        $stmt->bindValue(':search', $searchPattern, SQLITE3_TEXT);
+        break;
+        
+    case 'author':
+        $searchPattern = '%' . $authorsearch . '%';
+        $stmt = $db->prepare("SELECT
+            DISTINCT books.id AS id,
+            books.title AS title,
+            SUBSTR(comments.text, 0, 120) AS excerpt
+            FROM books
+            INNER JOIN comments ON comments.book = books.id
+            INNER JOIN books_tags_link ON books_tags_link.book = books.id
+            WHERE books.author_sort LIKE :search
+            ORDER BY books.title ASC
+            LIMIT 100");
+        $stmt->bindValue(':search', $searchPattern, SQLITE3_TEXT);
+        break;
+        
+    case 'type':
+        $stmt = $db->prepare("SELECT
+            DISTINCT books.id AS id,
+            books.title AS title,
+            SUBSTR(comments.text, 0, 120) AS excerpt
+            FROM books
+            INNER JOIN comments ON comments.book = books.id
+            INNER JOIN books_custom_column_1_link ON books_custom_column_1_link.book = books.id
+            INNER JOIN custom_column_1 ON custom_column_1.id = books_custom_column_1_link.value
+            WHERE custom_column_1.value = :search
+            ORDER BY books.title ASC
+            LIMIT 100");
+        $stmt->bindValue(':search', $typesearch, SQLITE3_TEXT);
+        break;
+        
+    case 'subtype':
+        $stmt = $db->prepare("SELECT
+            DISTINCT books.id AS id,
+            books.title AS title,
+            SUBSTR(comments.text, 0, 120) AS excerpt
+            FROM books
+            INNER JOIN comments ON comments.book = books.id
+            INNER JOIN books_custom_column_3_link ON books_custom_column_3_link.book = books.id
+            INNER JOIN custom_column_3 ON custom_column_3.id = books_custom_column_3_link.value
+            WHERE custom_column_3.value = :search
+            ORDER BY books.title ASC
+            LIMIT 100");
+        $stmt->bindValue(':search', $subtypesearch, SQLITE3_TEXT);
+        break;
+        
+    case 'series':
+        $stmt = $db->prepare("SELECT
+            DISTINCT books.id AS id,
+            books.title AS title,
+            SUBSTR(comments.text, 0, 120) AS excerpt
+            FROM books
+            INNER JOIN comments ON comments.book = books.id
+            INNER JOIN books_series_link ON books_series_link.book = books.id
+            INNER JOIN series ON series.id = books_series_link.series
+            WHERE series.name = :search
+            ORDER BY books.series_index ASC
+            LIMIT 100");
+        $stmt->bindValue(':search', $seriessearch, SQLITE3_TEXT);
+        break;
+        
+    case 'subject':
+        $stmt = $db->prepare("SELECT
+            DISTINCT books.id AS id,
+            books.title AS title,
+            SUBSTR(comments.text, 0, 120) AS excerpt
+            FROM books
+            INNER JOIN comments ON comments.book = books.id
+            INNER JOIN books_tags_link ON books_tags_link.book = books.id
+            INNER JOIN tags ON tags.id = books_tags_link.tag
+            WHERE tags.name = :search
+            ORDER BY books.title ASC
+            LIMIT 100");
+        $stmt->bindValue(':search', $subjectsearch, SQLITE3_TEXT);
+        break;
+}
 
-$typequery = $db->query("SELECT
-DISTINCT books.id AS id,
-books.title AS title,
-SUBSTR(comments.text,0,120) AS excerpt
-FROM books
-INNER JOIN
-comments ON comments.book = books.id
-INNER JOIN
-books_custom_column_1_link ON books_custom_column_1_link.book = books.id
-INNER JOIN
-custom_column_1 ON custom_column_1.id = books_custom_column_1_link.value
-WHERE
-custom_column_1.value = '$typesearch'
-ORDER BY books.title ASC");
+// Execute query and handle errors
+try {
+    $results = $stmt->execute();
+} catch (Exception $e) {
+    error_log("Query execution error: " . $e->getMessage());
+    $results = null;
+}
 
-$subtypequery = $db->query("SELECT
-DISTINCT books.id AS id,
-books.title AS title,
-SUBSTR(comments.text,0,120) AS excerpt
-FROM books
-INNER JOIN
-comments ON comments.book = books.id
-INNER JOIN
-books_custom_column_3_link ON books_custom_column_3_link.book = books.id
-INNER JOIN
-custom_column_3 ON custom_column_3.id = books_custom_column_3_link.value
-WHERE
-custom_column_3.value = '$subtypesearch'
-ORDER BY books.title ASC");
+// Get types for menu
+try {
+    $types = $db->query("SELECT value FROM custom_column_1 ORDER BY value ASC");
+} catch (Exception $e) {
+    error_log("Types query error: " . $e->getMessage());
+    $types = null;
+}
 
-$seriesquery = $db->query("SELECT
-DISTINCT books.id AS id,
-books.title AS title,
-SUBSTR(comments.text,0,120) AS excerpt
-FROM books
-INNER JOIN
-comments ON comments.book = books.id
-INNER JOIN
-books_series_link ON books_series_link.book = books.id
-INNER JOIN
-series ON series.id = books_series_link.series
-WHERE series.name = '$seriessearch'
-ORDER BY books.series_index ASC");
-
-$subjectquery = $db->query("SELECT
-DISTINCT books.id AS id,
-books.title AS title,
-SUBSTR(comments.text,0,120) AS excerpt
-FROM books
-INNER JOIN
-comments ON comments.book = books.id
-INNER JOIN
-books_tags_link on books_tags_link.book = books.id
-INNER JOIN
-tags on tags.id = books_tags_link.tag
-WHERE tags.name = '$subjectsearch'
-ORDER BY books.title ASC");
-
-$types = $db->query("SELECT
-value
-FROM custom_column_1
-ORDER BY value ASC");
-
-$subtypes = $db->query("SELECT
-value
-FROM custom_column_3
-ORDER BY value ASC");
+// Build social media URLs safely
+$socialUrl = '';
+switch ($searchtype) {
+    case 'keyword':
+        $socialUrl = $SiteURL . '/results.php?kw=' . urlencode($keywordsearch);
+        break;
+    case 'author':
+        $socialUrl = $SiteURL . '/results.php?au=' . urlencode($authorsearch);
+        break;
+    case 'type':
+        $socialUrl = $SiteURL . '/results.php?ty=' . urlencode($typesearch);
+        break;
+    case 'subtype':
+        $socialUrl = $SiteURL . '/results.php?st=' . urlencode($subtypesearch);
+        break;
+    case 'series':
+        $socialUrl = $SiteURL . '/results.php?se=' . urlencode($seriessearch);
+        break;
+    case 'subject':
+        $socialUrl = $SiteURL . '/results.php?su=' . urlencode($subjectsearch);
+        break;
+}
 
 ?>
 
-
 <!DOCTYPE html>
 <!--[if lt IE 7]>      <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
 <!--[if IE 7]>         <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
@@ -144,9 +204,9 @@ ORDER BY value ASC");
 	<head>
 	<meta charset="utf-8">
 	<meta http-equiv="X-UA-Compatible" content="IE=edge">
-	<title>Infopump - Search results - <?php echo $searchtopic; ?></title>
+	<title>Infopump - Search results - <?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?></title>
 	<meta name="viewport" content="width=device-width, initial-scale=1">
-	<meta name="description" content="Free HTML5 Template by FREEHTML5.CO" />
+	<meta name="description" content="Search results for <?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
 	<meta name="keywords" content="free html5, free template, free bootstrap, html5, css3, mobile first, responsive" />
 	<meta name="author" content="FREEHTML5.CO" />
 
@@ -165,42 +225,14 @@ ORDER BY value ASC");
 	 -->
 
   	<!-- Facebook and Twitter integration -->
-	<meta property="og:title" content=<?php echo '"'.$SiteName.' - Search - '.$searchtopic.'" />';?>
-
-	<meta property="og:image" content=<?php echo '"'.$SiteURL.'/images/og-site-avatar.jpg" />';?>
-
-	<?php
-		if (!empty($keywordsearch)) {
-			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?kw='.$socialkw.'" />';
-			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?kw='.$socialkw.'" />';
-		} elseif (!empty($authorsearch)) {
-			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?au='.$socialau.'" />';
-			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?au='.$socialau.'" />';
-		} elseif (!empty($typesearch)) {
-			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?ty='.$socialty.'" />';
-			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?ty='.$socialty.'" />';
-		} elseif (!empty($seriessearch)) {
-			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?ty='.$socialse.'" />';
-			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?ty='.$socialse.'" />';
-		} elseif (!empty($subjectsearch)) {
-			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?ty='.$socialsu.'" />';
-			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?ty='.$socialsu.'" />';
-		} else {
-			echo '<meta property="og:url" content="'.$SiteURL.'/results.php?ty='.$socialst.'" />';
-			echo '<meta name="twitter:url" content="'.$SiteURL.'/results.php?ty='.$socialst.'" />';
-		}
-	?>
-
-	<meta property="og:site_name" content=<?php echo '"'.$SiteName.' - Search Results" />';?>
-
-	<meta property="og:description" content=<?php echo '"'.$SubName.'" />';?>
-
-	<meta name="twitter:title" content=<?php echo '"'.$SiteName.' - Search - '.$searchtopic.'" />';?>
-
-	<meta name="twitter:image" content=<?php echo '"'.$SiteURL.'/images/og-site-avatar.jpg" />';?>
-
-	
-
+	<meta property="og:title" content="<?php echo htmlspecialchars($SiteName . ' - Search - ' . $searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
+	<meta property="og:image" content="<?php echo htmlspecialchars($SiteURL, ENT_QUOTES, 'UTF-8'); ?>/images/og-site-avatar.jpg" />
+	<meta property="og:url" content="<?php echo htmlspecialchars($socialUrl, ENT_QUOTES, 'UTF-8'); ?>" />
+	<meta property="og:site_name" content="<?php echo htmlspecialchars($SiteName . ' - Search Results', ENT_QUOTES, 'UTF-8'); ?>" />
+	<meta property="og:description" content="<?php echo htmlspecialchars($SubName, ENT_QUOTES, 'UTF-8'); ?>" />
+	<meta name="twitter:title" content="<?php echo htmlspecialchars($SiteName . ' - Search - ' . $searchtopic, ENT_QUOTES, 'UTF-8'); ?>" />
+	<meta name="twitter:image" content="<?php echo htmlspecialchars($SiteURL, ENT_QUOTES, 'UTF-8'); ?>/images/og-site-avatar.jpg" />
+	<meta name="twitter:url" content="<?php echo htmlspecialchars($socialUrl, ENT_QUOTES, 'UTF-8'); ?>" />
 	<meta name="twitter:card" content="summary" />
 
 	<!-- Place favicon.ico and apple-touch-icon.png in the root directory -->
@@ -213,10 +245,8 @@ ORDER BY value ASC");
 	<link rel="stylesheet" href="css/icomoon.css">
 	<!-- Bootstrap  -->
 	<link rel="stylesheet" href="css/bootstrap.css">
-
 	<link rel="stylesheet" href="css/style.css">
 
-
 	<!-- Modernizr JS -->
 	<script src="js/modernizr-2.6.2.min.js"></script>
 	<!-- FOR IE9 below -->
@@ -253,12 +283,12 @@ ORDER BY value ASC");
 				<h3 class="heading">Recent Additions</h3>
 				<ul>
 				<?php
-				while ($row = $types->fetchArray()) {
-					$row_value = $row['value'];
-					$row_titlecase = mb_convert_case($row_value, MB_CASE_TITLE, "UTF-8");
-					echo '<li><a href="recent.php?ty='.$row_value.'">'.$row_titlecase.'</a></li>';
-					//echo '<li>'.$row_value.'</li>';
-					
+				if ($types) {
+					while ($row = $types->fetchArray(SQLITE3_ASSOC)) {
+						$row_value = htmlspecialchars($row['value'], ENT_QUOTES, 'UTF-8');
+						$row_titlecase = htmlspecialchars(mb_convert_case($row['value'], MB_CASE_TITLE, "UTF-8"), ENT_QUOTES, 'UTF-8');
+						echo '<li><a href="recent.php?ty=' . urlencode($row['value']) . '">' . $row_titlecase . '</a></li>';
+					}
 				}
 				?>
 				</ul>
@@ -267,7 +297,7 @@ ORDER BY value ASC");
 				<h3 class="heading">Search</h3>
 				<form action="results.php" method="get">
 					<div class="form-group">
-						<input type="text" class="form-control" name="kw" placeholder="Keyword search">
+						<input type="text" class="form-control" name="kw" placeholder="Keyword search" maxlength="100">
 					</div>
 				</form>
 			</div>
@@ -287,7 +317,7 @@ ORDER BY value ASC");
 					<li><a href="#"><i class="icon-instagram"></i></a></li>
 				</ul> -->
 				<div class="col-lg-12 col-md-12 text-center">
-					<h1 id="fh5co-logo"><a href="index.php">Search Results<br /><br /><?php echo $searchtopic; ?></a></h1>
+					<h1 id="fh5co-logo"><a href="index.php">Search Results<br /><br /><?php echo htmlspecialchars($searchtopic, ENT_QUOTES, 'UTF-8'); ?></a></h1>
 				</div>
 
 			</div>
@@ -303,55 +333,26 @@ ORDER BY value ASC");
 					<div class="row rp-b">
 						<div class="col-md-12 animate-box">
 							<?php
-							if ($keywordsearch != '') {
-							while ($row = $keywordquery->fetchArray()) {
-								$row_id = $row['id'];
-								$row_title = $row['title'];
-								$row_excerpt = $row['excerpt'];
-							
-								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
+							if ($results) {
+								$hasResults = false;
+								while ($row = $results->fetchArray(SQLITE3_ASSOC)) {
+									$hasResults = true;
+									$row_id = (int)$row['id'];
+									$row_title = htmlspecialchars($row['title'], ENT_QUOTES, 'UTF-8');
+									$row_excerpt = htmlspecialchars(strip_tags($row['excerpt']), ENT_QUOTES, 'UTF-8');
+								
+									echo '<p style="padding:25px 0 35px 0;">';
+									echo '<img style="float:left; max-height: 120px; padding: 10px 10px" src="images/' . $row_id . '.jpg" alt="' . $row_title . '">';
+									echo '<strong><em><a href="itemrecord.php?itemid=' . $row_id . '">' . $row_title . '</a></em> :</strong> ';
+									echo $row_excerpt . '...</p>';
+								}
+								
+								if (!$hasResults) {
+									echo '<p>No results found for your search.</p>';
+								}
+							} else {
+								echo '<p>An error occurred while searching. Please try again.</p>';
 							}
-						} elseif ($typesearch != '') {
-							while ($row = $typequery->fetchArray()) {
-								$row_id = $row['id'];
-								$row_title = $row['title'];
-								$row_excerpt = $row['excerpt'];
-							
-								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';								
-						}
-						} elseif ($authorsearch != '') {
-							while ($row = $authorquery->fetchArray()) {
-								$row_id = $row['id'];
-								$row_title = $row['title'];
-								$row_excerpt = $row['excerpt'];
-							
-								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
-							}
-						} elseif ($seriessearch != '') {
-							while ($row = $seriesquery->fetchArray()) {
-								$row_id = $row['id'];
-								$row_title = $row['title'];
-								$row_excerpt = $row['excerpt'];
-							
-								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
-							}
-						} elseif ($subjectsearch != '') {
-							while ($row = $subjectquery->fetchArray()) {
-								$row_id = $row['id'];
-								$row_title = $row['title'];
-								$row_excerpt = $row['excerpt'];
-							
-								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
-							}
-						} else {
-							while ($row = $subtypequery->fetchArray()) {
-								$row_id = $row['id'];
-								$row_title = $row['title'];
-								$row_excerpt = $row['excerpt'];
-
-								echo '<p style="padding:25px 0 35px 0;"><img style="float:left; max-height: 120px; padding: 10px 10px" src="images/'.$row_id.'.jpg"><strong><em><a href="itemrecord.php?itemid='.$row_id.'">'.$row_title.'</em></a> :</strong> '.strip_tags($row_excerpt).'...</p>';
-							}
-						}	
 							?>
 						</div>
 					</div>
@@ -379,3 +380,7 @@ ORDER BY value ASC");
 	</body>
 </html>
 
+<?php
+// Close database connection
+$db->close();
+?>
\ No newline at end of file