Search through database doesn't work

Question

Anyone can help me... I want to search by name or agreementNum but it doesn't work, it only searches by name,

I'm an absolute beginner to computer programming, when I want to search by agreement number it shows only the first record of my database, and only search by name work good,

'

     mysql_select_db("aruba", $con);

        $a1=$_POST['u_Name'];
         $a2=$_POST['u_Agreement'];


         $sql=" SELECT * FROM customer
            WHERE Name like ('%$a1%') 
            OR AgreementNum ='$a2'


                 ";


         $q=mysql_query($sql);
           $x=mysql_fetch_array($q);

          ?>
        $q=mysql_query($sql);
           $x=mysql_fetch_array($q);

        ?><table>
        <tr><td><b>Customer Name:</b></td><td><?php echo" " ,$x['Name'];
         ?></td><?php
          ?><tr><td><b>Address:</b></td><td><?php echo"", $x['Address'];
          ?></td><?php
            ?><tr><td><b>Contact Person:</b></td><td><?php echo"             " ,$x['Sales'];
           ?></td><?php
           ?><tr><td><b>Phone Number: </b></td><td><?php echo"           ", $x['PhoneNum'];
         ?></td><?php
            ?><tr><td><b>Maintenance Agreement No:</b></td><td><?php echo"             "                 ,$x['AgreementNum'];
       ?></td><?php   
        ?><tr><td><b>Start Date:</b></td><td><?php echo"          " ,$x['StartDate'];
         ?></td><?php 
        ?><tr><td><b>End Date: :</b></td><td><?php echo"      " ,$x['EndDate'];
      ?></td><?php 
          ?><tr><td><b>Reseller Name:</b></td><td><?php echo" " ,$x['Reseller'];
         ?></td><?php 
          ?><tr><td><b>Product Model:</b></td><td><?php echo"      " ,$x['ModelNum'];
        ?></td><?php 
         ?><tr><td><b>Remarks:</b></td><td><?php echo" " ,$x['Quantity'];
        ?></td><?php 
        mysql_close($con)
         ?>
       '

**Bro, do you even mysqli?** mysql_* method are deprecated as of PHP v5.5.0 and will be removed in the future. http://php.net/manual/en/changelog.mysql.php Please switch to a more secure mysqli_* or PDO connection. — max_, May 30 '13 at 09:38
You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, May 30 '13 at 09:42
Please do not use user input directly in sql queries. make sure that you escape them with an appropriate function first eg [mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php), but really you should be using PDO or mysqli functions as mysql functions are now deprecated — Anigel, May 30 '13 at 09:43
Your example is missing the actual database call. Also, for db questions, it helps to show 3 or 4 rows of whats in your table, the ouptut you expect to get, and the output you are actually getting. — Matt, May 30 '13 at 12:03

score 0 · Answer 1 · answered May 30 '13 at 11:47

0

select * from table where field in ('1','2','3')

answered May 30 '13 at 11:47

Matheno

4,112
6
36
53

score 0 · Answer 2 · answered Jun 03 '13 at 08:58

Try to encase your statements in parentheses. I'm not sure if LIKE accepts and OR parameter, but I think that's the root of your problem. Try:

$sql=" SELECT * FROM customer
            WHERE (Name like ('%$a1%') )
            OR ( AgreementNum ='$a2' ) 
";

Also, a couple of notes:

Do not use mysql_, it's deprecated. Switch to PDO or mysqli.
Filter user input. You are asking for a mysql injection if you stick user input directly into your queries.

Wonder what would happen if suddenly this happens? (DO NOT test this on your DB!!)

$a2 = "'); DELETE FROM customer;--";

Answer:

SELECT * FROM customer
     WHERE (Name like ('%$a1%') )
     OR ( AgreementNum =''); DELETE FROM customer;--' )

Search through database doesn't work

2 Answers2