Statement block not reached after for loop

Question

I am trying to add search option in my database, I have created the following program, but it is giving me an error message on loop portion, I am unable to understand why its not moving towards else statement. Kindly check it and tell me where I am making mistake.

<?php
    require 'connect.php';
    if (isset ($_POST['username']))
    {
        $username = $_POST['username'];
        $query = "select * from users where username like '%$username%' ";

        if ($query_result = mysql_query($query))
        {
            $numrows = mysql_num_rows($query_result);
            if ($numrows > 1)
            {
                for ($i = 0; $i < $numrows; $i++)
                {
                    echo $query_result = mysql_result($query_result, $i, 'username');
                }
            }
            else
            {
                echo 'No Results Found!';
            }       
        }
        else
        {
            echo 'No Results Found!!';
            // echo mysql_error();
        }
    }
    else
    {
        echo 'Are you kidding with me !';
    }
?>

Thanks

Answer 1

Inside your loop you're doing:

echo $query_result=     mysql_result($query_result,$i,'username');

Which doesn't add up: you're echho-ing the result of an assignment. Not just any assignment, too. You're reassigning the return value of mysql_result to the resource: $query_result. Therefore, on the second iteration of your loop, the mysql_result call will fail.

That said, the mysql_* extension is Deprecated and shouldn't be used anymore, look into the preferred alternative extensions, like PDO or mysqli_*.
you could also rewrite your loop as a while-loop, using:

$out = '';
while($row = mysqli_fetch_assoc($query_result))
{
    $out .= $row['username'].'<br/>';
}

On your query:
Instead of doing SELECT *, which basically selects all fields for every row matching your WHERE clause, if all you're interested in is the username (which, from your code seems to be the case), why not simply use SELECT username. That's easier on your DB, and doesn't require as much resources.

Your WHERE clause reads username LIKE '%{$var}%', this means that, if the input were a, your query returns all usernames containing an a somewhere. Apart from that being not too secure, it also is dead-slow. Your query is highly likely to perform a full table scan, probably requiring I/O disk operations. Either use like without % wildcards to ensure case-insensitivity, use the single-char wildcard _ or, if needs must, only use one %. A username search for "sup" that yields "superman" makes more sense than the same search yielding "dinnersupper"

Lastly, you're code is extremely vulnerable to mysql-injection attacks. If I were to post the username: '; DROP TABLE users; --, your query would look like this:

select * from users where username like '%'; DROP TABLE users; -- %'

Which spells disaster, doesn't it?

Answer 2

You call in a loop mysql_result and replace the query resource $query_result with the value of the cell. On the next call $query_result won't be a valid resource anymore.

Note: not sure what you're trying to do as you don't even use the value... simply remove the assignment.

Answer 3

I changed a few line of code..i change your loop into a while loop..try this one..

    if($numrows!=0)
    {
        while ($rs = mysql_fetch_array($query_result)){
          echo $rs['username'] . " <br>";
        }
    }

hope it help...