Search & Update MySQL With Form

Question

I wonder whether someone can help me please.

I'm trying to put together a form that I can use to search for member details from a mySQL database, retrieve the results so that they appear in pre-determined text boxes on the same form and make updates to send back to the database.

The code I'm using is as follows:

PHP

<?php 
require("phpfile.php"); 

// Opens a connection to a MySQL server 

$connection=mysql_connect ("hostname", $username, $password); 
if (!$connection) { die('Not connected : ' . mysql_error());} 

// Set the active MySQL database 

$db_selected = mysql_select_db($database, $connection); 
if (!$db_selected) { 
die ('Can\'t use db : ' . mysql_error()); 
} 

$email = $_POST['email']; 
$sql = mysql_query("SELECT * FROM userdetails WHERE emailaddress like '%$emailaddress%'"); 

while($row = mysql_fetch_array($sql)) 
{ 
echo $row['forename']; 
echo $row['surname']; 
echo "<br />"; 
} 
?> 

HTML FORM

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>
<body>
<form action="search.php" method="post">      
  <p>Search: 
    <input name="emailaddress" type="text" id="emailaddress" />
    <br />     
    <input type="submit" name="submit" value="Submit" />     
</p>
  <p>
    <label>
    <input name="forename" type="text" id="forename" value="<?php echo $forename; ?>"  />
    </label>
  </p>
  <p>
    <input name="surname" type="text" id="surname" value="<?php echo $surname; ?>" />
  </p>
  <p>&nbsp;  </p>
</form> 
</body>
</html>

I'm using the email address to search for the desired record, but the problem I'm having is that all of the records are retrieved rather than the one I have entered the details for, and the results don't appear in the forename and surname fields on the form.

Could someone perhaps please show me what I'm doing wrong

Kind regards

Answer 1

... but if you press submit button to update white email it should look like this:

if(isset($_REQUEST['submit'])) {
$fname = mysql_real_escape_string($_POST['forename']);
$sname = mysql_real_escape_string($_POST['surname']);
$emai= mysql_real_escape_string($_POST['email']);
mysql_query(UPDATE `table` SET `forename` = $fname, `surname` = $sname, `email`=$email WHERE id = `id`);
}

Answer 2

1. You should escape the POST input before using it. If you're using MySQL, you may use the mysql_real_escape_string() function:

   $emailaddress = mysql_real_escape_string($_POST['email'])
   

2. You may populate the form with the retrieved values setting the value parameter in each form input. For security reasons, make sure the output will convert HTML entities:

   <input name="surname" type="text" id="surname" value="<?php echo isset($surname) ? htmlentities($surname) : null; ?>" />
   

You may read the above line as: is $surname set? If so, apply htmlentities and output. Otherwise, return null.

Answer 3

You've called the variable "$email" not "$emailaddress". Change your query to be:

SELECT * FROM userdetails WHERE emailaddress like '%$email%'

Previously, your query was searching for an email address like "%%" - which will find every email address.

On another note, you must look into SQL injection. It's one of the most common security risks affecting web applications, yet is very easy to protect against. I won't explain in detail but, for the moment, replace your line:

$email = $_POST['email'];

With:

$email = mysql_real_escape_string($_POST['email']);

Here's more information about SQL injection: http://php.net/manual/en/security.database.sql-injection.php