0

i want to make search . when i key in user id in text box and press submit button it appear that user data. how im gonna make it ? i know this coding kinda wrong. btw im admin and want to find user. 

<?php
include 'config1.php';
$query = "SELECT * FROM login WHERE userid LIKE '%$searchTerm%'"
$result = mysql_query($query);
echo "<table height = '30%'border='1'>";

while($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
    echo "<tr>";
    echo "<td width='5%'><b>USER ID:</b> {$row['userid']} </td>";
    echo "<td width='5%'><b>USER NAME :</b> {$row['username']} </td>";
    echo "<td width='5%'><b>USER EMAIL:</b> {$row['useremail']} </td>";
    echo "<td width='5%'><b>USER DIVISION:</b> {$row['userdiv']} </td>";
    echo "<td width='5%'><b>USER DEPARTMENT:</b> {$row['userdepartment']} </td>";
} 
echo"</table>";
?>
lightyagami
  • 35
  • 1
  • 8

2 Answers2

1

Taken from your comment

when i run this on website it say Parse error: syntax error, unexpected '$result' (T_VARIABLE) in C:\xampp\htdocs\viewAdmin.php on line 41

You have a missing semi-colon in this line:

$query = "SELECT * FROM login WHERE userid LIKE '%$searchTerm%'"
                                                                ^

do

$query = "SELECT * FROM login WHERE userid LIKE '%$searchTerm%'";

Plus, to use $searchTerm you would need to use a form with an input named "search" for example. <input type = "text" name = "search"> then do:

$searchTerm = $_POST['search'];

using a POST form method.

<form method = "post" action = "your_SQL_file.php">

  Search: <input type = "text" name = "search">

 <input type = "submit" name = "submit" value = "Search">

</form>

<?php 
include 'config1.php';
$searchTerm = $_POST['search'];
$query = "SELECT * FROM login WHERE userid LIKE '%$searchTerm%'";

...

Edit: (all in one file)

<form method = "post" action = "">

  Search: <input type = "text" name = "search">

 <input type = "submit" name = "submit" value = "Search">

</form>


<?php
include 'config1.php';

if(isset($_POST['submit'])){

$searchTerm = mysql_real_escape_string($_POST['search']);

$query = "SELECT * FROM login WHERE userid LIKE '%$searchTerm%'";
$result = mysql_query($query);

    echo "<table height = '30%'border='1'>";

    while($row = mysql_fetch_array($result, MYSQL_ASSOC))
    {
        echo "<tr>";
        echo "<td width='5%'><b>USER ID:</b> {$row['userid']} </td>";
        echo "<td width='5%'><b>USER NAME :</b> {$row['username']} </td>";
        echo "<td width='5%'><b>USER EMAIL:</b> {$row['useremail']} </td>";
        echo "<td width='5%'><b>USER DIVISION:</b> {$row['userdiv']} </td>";
        echo "<td width='5%'><b>USER DEPARTMENT:</b> {$row['userdepartment']} </td>";
    }
    echo"</table>";

} // brace for submit isset
?>
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • it say undefined searchterm . how i am suppose to declare that searchterm ? and what is function of LIKE ? – lightyagami Aug 27 '14 at 17:24
  • @lightyagami Reload my answer, I made some additions that you may not have seen. – Funk Forty Niner Aug 27 '14 at 17:28
  • i already reply with edit your answer. sorry my coding kinda messy. i just show you important part of my coding . (all in the same page) – lightyagami Aug 27 '14 at 17:38
  • @lightyagami The edit was rejected by someone else. So, it's all in the same page, then give me a minute, I will edit myself. – Funk Forty Niner Aug 27 '14 at 17:39
  • did you get that coding ? sorry if im disturbing you :) – lightyagami Aug 27 '14 at 17:41
  • @lightyagami Reload and look under "Edit: (all in one file)". Unfortunately, I can't see what your edit was, since it was not approved; there is no history for it. – Funk Forty Niner Aug 27 '14 at 17:43
  • got it. but when i run , it still appear nothing. can u see my full coding in one page ? do you have facebook ? – lightyagami Aug 27 '14 at 17:47
  • @lightyagami I tried to bring this to chat, but Stack says you don't have enough rep points for it. Now, depending on the word you enter and looking for, it will need to match what's in your DB and must exist in your table. You can try different combinations such as `'%$searchTerm%'` or `'%$searchTerm'` or `'$searchTerm%'` – Funk Forty Niner Aug 27 '14 at 17:51
  • how i am suppose to show you with my coding . i want to show one page coding so u will be more understand. haisss. when i try it appear blank . white nothing appear. – lightyagami Aug 27 '14 at 17:54
  • @lightyagami I just tested this. Use my answer exactly as it is (modify it after if needed) and make sure all the columns you have in your HTML table `userid` and `username` and `useremail` etc. etc. do exist. Depending on what's in your columns. I've given you enough already and don't have time to teach you how to do it. Make sure also that your DB connection is not `mysqli_` as opposed to `mysql_` functions. If you are searching for `Robert` in column `userid` then it should find it. I can't help you any more than I already have. It's up to you to find out why it's not working. – Funk Forty Niner Aug 27 '14 at 18:01
0

You (may) have a security hole in your source code making it vulnerable to SQL injection.

$query = "SELECT * FROM login WHERE userid LIKE '%$searchTerm%'"

If you do not filter nor sanitize $searchTerm you're opening a hole to inject SQL.

I strongly advice you to read about PDO, particularly about prepared statements and "Are PDO prepared statements sufficient to prevent SQL injection?".

Community
  • 1
  • 1
PauloASilva
  • 1,000
  • 1
  • 7
  • 19