CODEWITHSUNDEEP
phpmysql
Michael
Michael

Reputation: 3

How to display MYSQL data into PHP search box

Hello I am having massive problems with this task for my assignment

I have a database set up on xampp called search_test which has firstname and lastname as fields in it. I have set up a php form so when the user types in a name say Andre it returns all the andres in the database. There is a problem it keeps telling me there are no search results even though i know there is data in the database Here is the code supposed to be one php page called index.php 

    <?php
    mysql_connect("localhost","michael","xcA123sd") or die(mysql_error());
    mysql_select_db("search_test") or die ("could not find db"); 
     $output ='';
    if (isset ($_POST['search']));
        $searchq = $_POST['search'];
    $query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%searchq%'" ) or die("could not search");
    $count = mysql_num_rows($query);
    if($count == 0){
        $output = 'There was no search results !';
        }else{
        while($row = mysql_fetch_array($query)){
        $fname = $row['firstname'];
        $output .='<div> '.$fname.'</div>';
        }

        }
}


?>

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>search</title>
</head>
<body>
<form action="index.php" method="post">
<input type="text" name="search" placeholder="search for members"/> 
<input type="submit" value=">>"/>
</form>
<?php print("$output);?>
</body
</html>

for example i type andre in and i get the response

There was no search results !

could someone please help

Upvotes: 0

Views: 14304

Answers (5)

Caleb Lewis
Caleb Lewis

Reputation: 543

For your select statement, you have:

$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%searchq%'" ) or die("could not search");

It should be:

$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%".$searchq."'%" ) or die("could not search");

Because you're searching for the content inside the variable called searchq, not actually the string searchq :)

Upvotes: 0

user1634845
user1634845

Reputation:

Try this:

<?php
mysql_connect("localhost","michael","xcA123sd") or die(mysql_error());
mysql_select_db("search_test") or die ("could not find db"); 
$output ='';
if (isset($_get['search'])){
    $searchq = $_get['search'];
}
$query = mysql_query("SELECT * FROM members WHERE firstname LIKE $searchq" ) or die("could not search");
$count = mysql_num_rows($query);
if($count == 0){
    $output = 'There was no search results !';
}else{
    while($row = mysql_fetch_array($query)){
        $fname = $row['firstname'];
        $output .='<div> '.$fname.'</div>';
    }
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>search</title>
</head>
<body>
<form action="index.php" method="get">
<input type="text" name="search" placeholder="search for members"/> 
<input type="submit" value=">>"/>
</form>
<?php print("$output);?>
</body>
</html>

Upvotes: 0

Eugen Rieck
Eugen Rieck

Reputation: 65274

First of all: You want

$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%searchq%'" ) or die("could not search");

to be 

$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%$searchq%'" ) or die("could not search");

(mind the additional $).

That said, you have a big SQL injection problem: Assume, I run the query "normally" once: This fives me an idea of the columns. Now I post ' UNION ALL SELECT correct_field_num FROM information_schema.TABLES WHERE NAME LIKE '% as my search - this gives me your table structure. With posting ' UNION ALL SELECT correct_column_num FROM any_table_name WHERE 'x' LIKE '% I can read an arbitrary table.

Make sure, you use one of the well-understood techniques to constuct a safe query from any user input. There is a spectrum from the deprecated mysql_real_escape_string() up to parameterized queries.

Upvotes: 2

Tiamiyu waliu
Tiamiyu waliu

Reputation: 21

The problem come from this line of your code

$query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%searchq%'" )

the variable searchq doesnot have $ at the back

Upvotes: 2

Ivan Yonkov
Ivan Yonkov

Reputation: 7034

LIKE '%searchq%'"

It searches for string like 'searchq' if you need to be the variable, add the respective dollar sign

Upvotes: 1

Related Questions