0

I'm trying to make a user search with the following code:

<?php
session_start();
include("../BD/bd.php");

$searched_for = $_POST['searched_for'];
$query = @mysql_query("SELECT * FROM user_media WHERE nombre LIKE '%$searched_for%'") or die(mysql_error());

while($got_users = @mysql_fetch_array($query)){
    echo '<div class="searched-content-info">'.
         '<div class="searched-photo"><img src="'.$got_users['foto'].'"></div>
         <div class="searched-names"><h3>'.$got_users['nombre'].'</h3></div>
         <div class="searched-dates"><h3>'.'Miembro desde: '.$got_users['created_on'].'</h3></div>  
         </div> 
         <div class="divisor-search-user"></div>';
}

?>

But I'm getting all the rows, I just want to display the searched users info, seems like the $query is receiving a clean $searched_for

Any help here? Btw, I'm a little newbie here, please don't bully :)

EDIT: I tried changing $got_users['nombre']; with $searched_for to see if $searched_for is empty and yes it doesn't return any string that's why I am getting all the rows. $query is getting an empty variable but Why?

Here's my HTML:

<form target="u-n" id="search_input" action="search_user.php" method="post">
    <input id="search-input" name="searched_for" type="search" placeholder="Search">
</form>
Pepe Perez
  • 111
  • 1
  • 3
  • 10
  • 4
    Don't even know where to start here... – zerkms Feb 27 '14 at 03:56
  • try to change `$searched_for = $_POST['searched_for'];` to `$searched_for = $_REQUEST['searched_for'];` and then google about SQL injections – Iłya Bursov Feb 27 '14 at 04:00
  • Check the name of the field `searched_for` in your form. Check cases. – Amit Garg Feb 27 '14 at 04:01
  • 1
    *sidenote:* stop using deprecated `mysql_*` functions. use [MySQLi](http://php.net/manual/en/book.mysqli.php) or [PDO](http://php.net/manual/en/book.pdo.php) instead. Here is a good [tutorial](http://j.mp/PoWehJ) for PDO. Start debug by removing all error suppressing `@`. – Raptor Feb 27 '14 at 04:13
  • 1
    *sidenote:* your code is subjected to SQL Injection attack, as you directly allow POST values to be inserted in your query. – Raptor Feb 27 '14 at 04:15
  • You suppress all the errors with `@`, then wonder why you don't know what's wrong.... – sevenseacat Feb 27 '14 at 04:15
  • Also, where is your HTML structure? DOCTYPE, head, body, etc? – Raptor Feb 27 '14 at 04:20
  • Shivan this content loads inside a 'div' on profile.php – Pepe Perez Feb 27 '14 at 04:22
  • do you still have the problem? if yes then can you tell em clearly how your result is?i mean are you getting all searched_for values? – ɹɐqʞɐ zoɹǝɟ Feb 27 '14 at 04:49
  • feroz akbar I tried changing $got_users['nombre']; with $searched_for to see if $searched_for is empty and yes it doesn't return any string that's why I am getting all the rows. $query is getting an empty variable but Why? – Pepe Perez Feb 27 '14 at 05:07

1 Answers1

1

You used <input type="search" /> which is a HTML5 feature. Older browsers may not support this. Replace this input with type="text".

Then, your $_POST['searched_for'] should populate properly, that is:

<input name="searched_for" type="text" placeholder="Search" />

Also, you used the same id multiple times, which is an invalid HTML syntax.

Reference: HTML input tag at MDN

Raptor
  • 53,206
  • 45
  • 230
  • 366