CODEWITHSUNDEEP
phppostmysqli
LiggyRide
LiggyRide

Reputation: 71

mysqli_query fetches empty result

On my site, I have 4 radio selectors to add a filter to my search script. If a filter is selected, it should run the search script on only the column which the filter is set to, otherwise if the filter is set to all or not set, it should search all columns. However, when I set my filter to search only one column (the all option works), the query returns an empty result. I have tested the query and it works fine. I have posted the code for the whole script, however the code block in question is marked with comments. The $filter and $search variables both come through correctly. I have tested this from within the script.

<?php

include ('connect.php');

if(isset($_POST['search'])) {
    $search = $_POST['search'];

    if(isset($_POST['filter'])) {
        $filter = $_POST['filter'];

        if($_POST['filter'] == "all") {
            echo "Searching all";
            $query = mysqli_query($con, "SELECT DISTINCT model, image, brand, id FROM cranes WHERE (model LIKE '%$search%' OR brand LIKE '%$search%' OR type LIKE '%$search%')");
        }
        else {

            //Code block in question starts

            echo "Searching filtered selection only";
            $query = mysqli_query($con, "SELECT DISTINCT model, image, brand, id FROM cranes WHERE '$filter' LIKE '%$search%'") or die(mysqli_error($con));

            //Code block in question ends
        }
    }
    else {
        echo "Searching all";
        $query = mysqli_query($con, "SELECT DISTINCT model, image, brand, id FROM cranes WHERE (model LIKE '%$search%' OR brand LIKE '%$search%' OR type LIKE '%$search%')");
    }
}
else {
    $query = mysqli_query($con, "SELECT DISTINCT model, image, brand, id FROM cranes");
}

while ($row = mysqli_fetch_array($query)) { 
    echo "<div class='crane'><a href='#!edit' id='" . $row['id'] . "'><img src='images/" . $row['image'] . "' /><p class='craneName'>" . $row['brand'] . ' ' . $row['model'] . "</p></a></div>";
}

?>

Upvotes: 0

Views: 129

Answers (1)

C3roe
C3roe

Reputation: 96325

$query = mysqli_query($con, "SELECT DISTINCT model, image, brand, id FROM cranes
  WHERE '$filter' LIKE '%$search%'") or die(mysqli_error($con));

You’ve put the column name you are passing in $filter in single quotes here, which makes it a mere text literal instead of a column name.

So remove the single quotes … and after that, go read up on SQL injection, but quickly.

Upvotes: 1

Related Questions