Reputation: 1
Creating a search database form with PHP
I'm trying to make a search for my website using PHP but every time I search for something is shows me No results found!
<form action="search" method="post">
<input type="text" name="search">
<input type="submit" value="Search">
</form>
<?php
if (isset($_POST['search'])) {
$searchq = $_POST['search'];
$searchq = preg_replace("#[^0-9a-z]#i","",$searchq);
$videosHTML = "";
$searchquery = mysqli_query("SELECT id, Name, Link, Time, Type FROM Videos WHERE Name LIKE '%$searchq%'");
$count = mysqli_num_rows($searchquery);
if ($count == 0){
$videosHTML = "No results found!";
} else{
while($row = mysqli_fetch_array($searchquery)){
$id = $row['id'];
$Name = $row['Name'];
$Link = $row['Link'];
$Time = $row['Time'];
$Type = $row['Type'];
$videosHTML = '<a href="video?id='.$id.'"><div class="thumbnail" style="background-image: ' . "url('thumbnails/" . $id . ".png');" . '"><p class="title">' . $Name . '</p><p class="time">' . $Time . '</p></div></a>' . $videosHTML;
}
}
}
?>
It also shows me a parse error on the line of $searchquery and also on the next line $count.
I'm thinking that it's not finding anything in the $count and that's why it might show No results found.
Upvotes: 0
Views: 97
Answers (1)
Reputation: 33813
In light of the( perfectly valid ) comment made the original code has been completely edited in accordance with better practises. Whenever taking user input for inclusion in any sql command you must treat that as potentially damaging and use functions built into PHP to help mitigate SQL injection.
Within PHP & mySQLi you have easy access to Prepared Statements which should be used in preference to embedding user supplied data directly within the sql command. Using mysqli_escape_string or mysqli_real_escape_string is not sufficient to completely protect against SQL injection and should likely be ignored as it can potentially change the legitimate content (ie: complex passwords ) and render it useless.
<?php
if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST['search'] ) ){
$phrase=filter_input( INPUT_POST, 'search', FILTER_SANITIZE_ENCODED ) )
$search='%' . $phrase . '%';
$sql='select `id`,`name`,`link`,`time`,`type` from `videos` where `name` like ?';
$stmt=$dbconn->prepare( $sql );
$stmt->bind_param('s', $search );
$stmt->execute();
$stmt->bind_result( $id, $name, $link, $time, $type );
while( $stmt->fetch() )printf('
<a href="video?id=%1$s">
<div class="thumbnail" style="background-image: url( thumbnails/%1$s.png )">
<p class="title">%2$s</p>
<p class="time">%3$s</p>
<p class="type">%4$s</p>
</div>
</a>', $id, $name, $time, $type );
$stmt->free_result();
$stmt->close();
$dbconn->close();
}
?>
Upvotes: 1
Related Questions
- How can I prevent SQL injection in PHP?
- How do you parse and process HTML/XML in PHP?
- Deleting an element from an array in PHP
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- startsWith() and endsWith() functions in PHP
- How does PHP 'foreach' actually work?
- Enumerations on PHP
- How do I get PHP errors to display?
- Why shouldn't I use mysql_* functions in PHP?
- Installing specific package version with pip