PHP mysql $_POST search Issue

Question

I am unable to get my search function working. I am not seeing any PHP errors, but the page refreshes and re-displays the database columns. I would like it to only display the results from the search query.

For example, if I search "Mike" I would like to display all the Mikes in "Tech_Num", "Tech_F_Name", "Tech_L_Name" and "Mobile_Num".

Code:

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');

//Include the connection
include "connect.php";

$sql = "SELECT * FROM tech_info ";

if (isset($_POST['searchquery'])) {

    $result = mysqli_query($con, "SELECT * FROM tech_info");
    $search_term = $_POST['searchquery'];
    $sql .= "WHERE Tech_F_Name = '{$search_term}'";
    $sql .= " OR Tech_L_Name = '{$search_term}'";
}
?>

<form action="test2.php" method="POST">
    Search: <input type="text" name="searchquery" />
    <input type="submit" name="searchname" value="Search Me">
</form>

<table width="70%" cellpadding="5" cellspace="5">

    <tr>
        <td><strong>Tech_Num</strong></td>
        <td><strong>First Name</strong></td>
        <td><strong>Last Name</strong></td>
        <td><strong>Mobile Number</strong></td>
    </tr>

<?php
while ($row = mysqli_fetch_array($result)) {
    ?>

        <tr>
            <td><?php echo $row['Tech_Num']; ?>
            <td><?php echo $row['Tech_F_Name']; ?>
            <td><?php echo $row['Tech_L_Name']; ?>
            <td><?php echo $row['Mobile_Num']; ?>


<?php } ?>

</table>

FYI, you are wide open to [SQL injections](http://stackoverflow.com/q/60174) — John Conde, Feb 25 '14 at 21:12
You're not actually running the entire query. The part where you append your where clause to your query happens *after* you run your query. In fact, those three lines do nothing at all. — John Conde, Feb 25 '14 at 21:13

score 5 · Accepted Answer · 2014-02-25T21:26:28.327

5

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');

//Include the connection
include "connect.php";

$sql = "SELECT * FROM tech_info ";

if (isset($_POST['searchquery'])) {
    $search_term = mysql_real_escape_string($_POST['searchquery']);
    $sql .= "WHERE Tech_F_Name = '{$search_term}'";
    $sql .= " OR Tech_L_Name = '{$search_term}'";



}
$result = mysqli_query($con, $sql);
?>

Your stuff was in the wrong order, need to build the sql query before you use it.

edited Feb 25 '14 at 21:26

answered Feb 25 '14 at 21:13

1

I'd like to add that prepared statements should be used here or you should escape your input to avoid SQL injection – Hazem Mohamed Feb 25 '14 at 21:15

score 1 · Answer 2 · answered Feb 25 '14 at 21:14

Your order of operations seems wrong. You should first create the $sql variable, and then send it to database? Something like:

if (isset($_POST['searchquery'])) {

  $search_term = $_POST['searchquery'];

  $sql .= "WHERE Tech_F_Name = '{$search_term}'";

  $sql .= " OR Tech_L_Name = '{$search_term}'";

  $result = mysqli_query($con, $sql);

}

Also, for starters, replace:

$search_term = $_POST['searchquery'];

with

$search_term = mysql_real_escape_string($_POST['searchquery']);

score 0 · Answer 3 · edited Feb 25 '14 at 21:48

i think you are so confused about this script :-) If you want search in some database coloumns, you try to write something like that:

include "connect.php";

$sql = "SELECT * FROM tech_info ";


if (isset($_POST['searchquery'])) {


$search_term = $_POST['searchquery'];

$sql .= "WHERE Tech_F_Name = '{$search_term}'";

$sql .= " OR Tech_L_Name = '{$search_term}'";

}

$result = mysqli_query($con, $sql);

while ($row = mysqli_fetch_array($result)) {}

PHP mysql $_POST search Issue

3 Answers3