-5
<?php
 include "db.php";

 $var = @$_POST['find'];

 //check for empty string and display a message.
 if($var == ""){
echo "<p>Please input a valid 6-digit ID number</p>";
exit;
 } else {

$searchMember = "SELECT * FROM $tablename WHERE id='$var'";

$numresults=mysql_query($searchMember);
$numrows=mysql_num_rows($numresults);

if($numrows == 1){
    echo $searchMember['displayname'];
} else if ($numrows == 0){
    echo "<p>Sorry, we couldn't find anything that matches your input. Try again?</p>";
} 
   }

?>

I've included information to connect to database in db.php. And here's how the form looks like:

<body>
<?php 
include "db.php";
include "searchSystem.php"; 
?>
<form name="search" method="post" action="searchSystem.php">
    Input a 6-digit ID number: <input type="text" name="find" />

    <input type="submit" name="search" value="Search" />
</form>

So there's a column in my table which has 6digit ID of users. We want to let them search their friends' ID number and look at their profile.

So this is what I have just wrote:

<?php
include "db.php";

$var = isset($_POST['find']) ? $_POST['find'] : '';

//check for empty string and display a message.
if($var == ""){
echo "<p>Please input a valid 6-digit ID number</p>";
exit;

} else {

$searchMember = $db->query("SELECT * FROM $tablename WHERE id='$var'");
$row_count = $searchMember->row_count();
$result =$searchMember->fetchALL(PDO::FETCH_ASSOC);

if($row_count == 1){
    echo $result['displayName'].' '.$result['id'];
} else if ($row_count == 0){
    echo "<p>Sorry</p>";
}
}

?>

Still doesn't work :(

tshepang
  • 12,111
  • 21
  • 91
  • 136
Vowel Chu
  • 1
  • 1
  • 4
    What do you mean by 'it didn't work'? – MysticXG Mar 11 '13 at 19:51
  • You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 11 '13 at 19:52
  • 1
    When you run the code, what response do you get? – Chibuzo Mar 11 '13 at 19:52
  • @MysticXG It didn't work..because even when I entered a 6-digit number that is already in our database it still responded "Sorry, we couldn't find...." – Vowel Chu Mar 11 '13 at 20:20
  • @Chibuzo I tried entering a wrong 6digit number...it led me to "Sorry, We couldn't find..." When I tried pressing search button w/o entering anything..it led me to "Please enter a valid 6-digit ID number".. But when I entered a valid 6digit ID that is already in my database, it still led me to "Sorry We couldn't find any..." – Vowel Chu Mar 11 '13 at 20:24
  • @Quentin Thats the major problem isnt that? – Vowel Chu Mar 11 '13 at 20:24
  • @VowelChu It looks like your query isn't returning any matches – MysticXG Mar 11 '13 at 20:26

2 Answers2

1

You have two obvious problems:

  • $tablename is never defined
  • $searchMember is a string not an associative array so $searchMember['displayname'] makes no sense
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • $tablename has already been defined in db.php would that work? In what way I can have certain column like displayName to be output then? – Vowel Chu Mar 11 '13 at 20:09
  • 1
    Step 1. Throw out the `mysql_*` code. Step 2. Read an introductory PDO tutorial. That will tell you how to use the data returned from a query. – Quentin Mar 11 '13 at 20:13
  • Thank you! will do it and come back if I've encountered any obstacles – Vowel Chu Mar 11 '13 at 20:25
  • I've changed something. Would you mind to help take a look of it? – Vowel Chu Mar 11 '13 at 22:25
1

There are a lot of things wrong here though if any of them are your actual problem I can't say:

$var = @$_POST['find'];

Don't suppress errors, instead test for the proper input:

$var = isset($_POST['find']) ? $_POST['find'] : '';

This i highly vulnerable to SQL injection:

$searchMember = "SELECT * FROM $tablename WHERE id='$var'";

Instead escape the variable properly:

$searchMember = sprinf("SELECT * FROM $tablename WHERE id='%s'", mysql_real_escape_string($var));

Furthermore $tablename is never defined unless its in the file you're including.

$searchMember is not an array. I think you mean to reference a result from the query but to do that you need to do:

$memberResult = mysql_fetch_assoc($numrows);
echo $memberResult['displayname'];

And lastly you shouldn't be using mysql_* you should use PDO or Mysqli.

Peter Badida
  • 11,310
  • 10
  • 44
  • 90
prodigitalson
  • 60,050
  • 10
  • 100
  • 114
  • I will go ahead and read a PDO tutorial first and let you know after I fix it:) Thank you for the patience thou! – Vowel Chu Mar 11 '13 at 20:26
  • I've changed something.. Mind to check it for me? I am still stuck here – Vowel Chu Mar 11 '13 at 22:26
  • `PDOStatement::fetchAll` will give you an array of rows so in order to access a given row you need to do `$result[0]['displayname']` where `0` is the index of the row you want. – prodigitalson Mar 11 '13 at 22:59