1

I want to put a search box so that when you type in a persons name it selects that persons details from the database.

This is my search box:

<html>
<body>

<form action="users.php" method="GET">
<input id="search" type="text" placeholder="Type here">
<input id="submit" type="submit" value="Search">
</form>
</body>
</html>

Then here is my PHP to return the users:

<?php 

$connection = mysql_connect("localhost","root","");

mysql_select_db("blog1")or die(mysql_error());


$result = mysql_query("SELECT username FROM member");
 while ($row = mysql_fetch_assoc($result)) {
echo "<div id='link' onClick='addText(\"".$row['username']."\");'>" . $row['username'] . "</div>";  
 }


  ?>

How to get it to just return the user that i type in the search bar instead of all the users? Any help would be great as I am just learning PHP.

John Dane
  • 51
  • 1
  • 1
  • 3
  • 2
    Lots of tutorials out there on this. FYI, stay away from `mysql_*` functions as they are deprecated. Use PDO instead. – webbiedave May 06 '13 at 16:43
  • [Where is your XSRF token?](http://www.codinghorror.com/blog/2008/10/preventing-csrf-and-xsrf-attacks.html) (This is very important for pretty much any form, as an insufficiency in HTML/Browsers) – Amelia May 06 '13 at 16:45
  • @Hiroto the guy doesn't even know that he should use PDO and is not escaping his strings. Do you really think that XSRF token is the problem here? Haha! – Stan May 06 '13 at 16:47
  • @Steve I know, but nothing ever touches on this in any php tutorials, or even HTML ones, ever. Let's just say if he releases this on a production site, someone would have a field day on his site. – Amelia May 06 '13 at 16:49

5 Answers5

5

You need to add a WHERE clause to your SQL query to filter for users with matching usernames (using =) or similar usernames (using LIKE). For example:

SELECT * FROM users WHERE username LIKE '%querystring%'

Will return all users whose username contains "querystring".

Also, as you're likely to be bombarded with in the comments, the mysql_* functions are deprecated. You should at least switch to mysqli_*, or even better, switch to PDO.

Adrian
  • 42,911
  • 6
  • 107
  • 99
3

fist don't use mysql_* in your code , use PDO or mysqli_*

<?php 

$connection = mysql_connect("localhost","root","");

mysql_select_db("blog1")or die(mysql_error());

$safe_value = mysql_real_escape_string($_POST['search']);

$result = mysql_query("SELECT username FROM member WHERE `username` LIKE %$safe_value%");
 while ($row = mysql_fetch_assoc($result)) {
echo "<div id='link' onClick='addText(\"".$row['username']."\");'>" . $row['username'] . "</div>";  
 }


  ?>

second edit your html

<form action="users.php" method="GET">
<input id="search" name="search" type="text" placeholder="Type here">
<input id="submit" type="submit" value="Search">
</form>
Ali Akbar Azizi
  • 3,272
  • 3
  • 25
  • 44
  • Reason for suggesting the use of mysqli/pdo is because 'mysql' is depreciated and will be removed soon from the php distribution. – Advait Saravade Feb 10 '18 at 19:54
0

Please, don't use mysql_* functions in new code. They are no longer maintained and the deprecation process has begun on it. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which.

Personally, I would use something like Bootstrap's typeahead function. You could pre-load your user list in to a javascript array and when the users are typing it will begin filtering. More information on Bootstrap's typeahead can be found here: http://twitter.github.io/bootstrap/javascript.html#typeahead

To do it the way your currently doing it, I would use the following code (I've used the MySQLi extension)

<?php

$connection = new mysqli('localhost', 'root', 'password', 'DB_NAME');

$search = $_GET['search'];
$search = $mysqli -> real_escape_string($search);

$query = "SELECT username FROM member WHERE username LIKE '%".$search."%'";
$result= $mysqli -> query($query);

while($row = $result -> fetch_object()){
    echo "<div id='link' onClick='addText(\"".$row -> username."\");'>" . $row -> username . "</div>";  
}

By adding the WHERE username LIKE '%".$search."%' it filters the records by usernames that start or end with the term you've type.

If you had a user name "Alex" and your search term was "Ale" that result would be amongst the returned results, if you searched for "lex", Alex would be amongst the returned results.

Community
  • 1
  • 1
ajtrichards
  • 29,723
  • 13
  • 94
  • 101
-1
  • Submit GET request
  • Get the variable and escape it to prevent sqlinjk
  • Search the database records where username is set to what is passed
  • Print result

html

<form action="users.php" method="GET">
  <input name="username" id="search" type="text" placeholder="Type here">
  <input id="submit" type="submit" value="Search">
</form>

php

<?php
$connection = mysql_connect("localhost","root","");
mysql_select_db("blog1")or die(mysql_error());
$username = mysql_real_escape_string($_GET['username']);
$result = mysql_query("SELECT * FROM member WHERE username = '" + $username + "'");
print_r($result);
Advait Saravade
  • 3,029
  • 29
  • 34
Stan
  • 25,744
  • 53
  • 164
  • 242
-3
<form action="users.php" method="GET">
<input id="search" name="keywords" type="text" placeholder="Type here">
<input id="submit" type="submit" value="Search">
</form>
</body>
</html>

<?php 

$connection = mysql_connect("localhost","root","");

mysql_select_db("blog1")or die(mysql_error());

$keywords = isset($_GET['keywords']) ? '%'.$_GET['keywords'].'%' : '';

$result = mysql_query("SELECT username FROM member where username like '$keywords'");
while ($row = mysql_fetch_assoc($result)) {
    echo "<div id='link' onClick='addText(\"".$row['username']."\");'>" . $row['username'] . "</div>";  
}

?>
user2355445
  • 1
  • GAH! Please don't give people suggestions or code samples that include giant holes for SQL injection!! – Adrian May 06 '13 at 16:55