PHP - Search database and return results on the same page

Question

Many thanks in advance for your time.

I am in the process of creating a CRM for my business. It will be pretty basic, but include some key features my industry specifically needs in a CRM and that does not seem to exist anywhere already, but I digress.

I am currently working on a Search function in the web app that searches for clients and returns the results in a dropdown menu right below the search form. When a client is selected in that list, the user is redirected to a page that displays all of the info related to that client.

My question is related to this search function. I currently have the search returning the results as an ECHO within the dropdown and it just looks horribly messy. The PHP ends up buried in the html form. There must be an easier and neater way to get the results to return as a list.

SIDE NOTE: the returned search results don't even have to be in a dropdown, I've just come to this solution over time, because it allowed me to pass the selected user on to the next PHP code on the next page fairly easily with the hidden form field for the ID.

Here is what I have going on so far. Can someone help me clean this up?

<!DOCTYPE html>
<html>
<head>
<title>Client Search Results</title>
<link rel="stylesheet" href="styles.css">
</head>

<body>

<div class="container">      
<form id="contact" action="" method="get">

<fieldset>
<h4>Search For Client</h4>
<input name="term" placeholder="Enter Name Here" type="text">
</fieldset>

<fieldset>
<button type="submit">Search</button>
</fieldset>

</form>
</div>

<div class='container'>    
<form id='contact' action='edit.php' method='post'>

<fieldset>
<h4>Search Results</h4>
<select size="5" style="width:100%" name='id' >

<?php
// Database Connection String
include("../../comm/comm.php");
$con = mysql_connect($DB_HOST,$DB_USER,$DB_PASS);
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db($DB_NAME, $con);

//Retrieve The Searched Term and Display The Results
if (!empty($_GET['term'])) {
$term = mysql_real_escape_string($_GET['term']);     
$sql = "SELECT * FROM client WHERE firstname LIKE '%".$term."%'"; 
$r_query = mysql_query($sql); 
while ($row = mysql_fetch_array($r_query)) { 

echo "<option";
echo " value='";
echo "".$row['client_id'];
echo"'>";
echo "".$row['firstname'];
echo " ".$row['lastname'];
echo " - ".$row['city'];
echo " ,".$row['state'];
echo "</option>";

}}
?>

</select>
</fieldset>

<fieldset>
<button type='submit' name='submit'>View Selection</button>
</fieldset>

</form>
<div>

</body>
</html>

Answer 1

...
$r_query = mysql_query($sql); 
while ($row = mysql_fetch_array($r_query)) { ?>

    <option value='<?= $row['client_id'];?>'>
         <?= $row['firstname'] . " " . $row['lastname']; ?> - 
         <?= $row['city'] . ", " . $row['state']; ?>
    </option>

<?php  }}  ?>

Or some variation of that. Point is, your PHP doesn't have to be a continuous block, you can close your PHP tag at any time, resume using regular HTML, and then open a new PHP tag and continue in your loop.

Also, in the above example, <?= is shorthand for <?php echo.

Also, in your example, you're using mysql_ functions, which have been deprecated in later versions of PHP5 and removed in PHP7. Best to study up on mysqli_ or PDO (which you can also use with MySQL databases).

Lastly, once you start using either of those, look into prepared statements, which will make your code function better/avoid SQL injections.

Answer 2

Your option could just be written as follows:

echo '<option value="$row[client_id]">$row[firstname] $row[lastname] - $row[city], $row[state]</option>';

Also, note that mysql_ functions has been deprecated and used in the wrong way can be very dangerous, leaving your website vulnerable.

Use prepared statements using mysqli or PDO.