Trying to convert form search into PDO query

Question

This was my prior code, that a SO user said was prone to injection, so I decided to try to convert it to be used with PDO.

if(isset($_POST['q'])) {

$q = $_POST['q'];

$select = $db->query("SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC");
<form method="post">
<input type="text" name="q" /> <input type="submit" name="search" />
</form>

This is the code I tried to insert :

include 'database.php';
   $pdo = Database::connect();
   $q = $_POST['q'];
   $sql = 'SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC';
   if(isset($_POST['q'])) {

   foreach ($pdo->query($sql) as $row) {
            echo '<tr>';
            echo '<td>'. $row['name'] . '</td>';
            echo '<td>'. $row['email'] . '</td>';
            echo '<td>'. $row['mobile'] . '</td>';
            echo '<td width=250>';
            echo '<a class="btn" href="read.php?id='.$row['id'].'">Read</a>';
            echo '&nbsp;';
            echo '<a class="btn btn-success" href="update.php?id='.$row['id'].'">Update</a>';
            echo '&nbsp;';
            echo '<a class="btn btn-danger" href="delete.php?id='.$row['id'].'">Delete</a>';
            echo '</td>';
            echo '</tr>';
            }
   }
   Database::disconnect();
  ?>

The error I get is : Notice: Undefined index: q Warning: Division by zero

Any ideas as to why this is happening?

Answer 1

You're getting an error because q does not exist, you've not posted it to the page. You should try something like this:

$pdo = Database::connect();
$q = filter_input(INPUT_POST, 'q', FILTER_SANITIZE_STRING);
if ($q)
{
    $query = "SELECT * FROM customers WHERE name LIKE :q OR email LIKE :q ORDER BY ID DESC";
    $sth = $pdo->prepare($query);
    $sth->bindParam(':q', "%{$q}%", PDO::PARAM_STR);
    $sth->execute();
}

Answer 2

Replace your query with this

$sql = "SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC";

And you can use your code by changing your condition as

if(isset($q)){
     // your code
}

Answer 3

The error I get is : Notice: Undefined index: q Warning: Division by zero

That mean $_POST['q'] not defined your code should be

               if(isset($_POST['q'])) {

                  $pdo = Database::connect();
                   $q = $_POST['q'];
                   $sql = 'SELECT * FROM customers WHERE name LIKE '%$q%' OR email LIKE '%$q%' ORDER BY ID DESC';

                   foreach ($pdo->query($sql) as $row) {
                            echo '<tr>';
                            echo '<td>'. $row['name'] . '</td>';
                            echo '<td>'. $row['email'] . '</td>';
                            echo '<td>'. $row['mobile'] . '</td>';
                            echo '<td width=250>';
                            echo '<a class="btn" href="read.php?id='.$row['id'].'">Read</a>';
                            echo '&nbsp;';
                            echo '<a class="btn btn-success" href="update.php?id='.$row['id'].'">Update</a>';
                            echo '&nbsp;';
                            echo '<a class="btn btn-danger" href="delete.php?id='.$row['id'].'">Delete</a>';
                            echo '</td>';
                            echo '</tr>';
                            }
                   }
                   Database::disconnect();
                 }
               ?>

And not forget add html form