Filtering a Php Query in Dreamweaver

Question

I have to a filter search criteria that sllows customers to filter by price availabilty and category. When i try to filter by Price it displays just the number and not the products that are that price. I was wondering if anyone can help me what i did wrong.

this is my form

<form action="results2.php" method="post">
    Name  <input type="text" name="price" >
    <input type="submit" name="search" value="Find Me">
</form>

and this is my results2.php

<?php
if (isset($_POST['search'])) {
    $get_name = $_POST['price'];
    echo $get_name;
    $query = "SELECT * FROM product WHERE price LIKE '%$get_name%'";
    $result = mysqli_query($connection, $query);
    while ($row = mysqli_fetch_array($result)) {
        $productName = $row['productName'];
        $description = $row['description'];
        $category = $row['category'];
        $availibilty = $row['availibilty'];
        $price = $row['price'];
        $height = $row['height'];
        echo $productName . " " . $description . "  " . $category . " " . $availibilty . " " . $price . " " . $height . "<br />";
    }
}
?>

I am trying to filter by price when it does it just displays the Price and not all my products

What does it mean, ` it just displays the Price and not all my products`? What result you get, and what is the expected result? — vaso123, Dec 02 '14 at 12:15
it suppose to display all my products from my products table that are 48.00 — RandomUsers, Dec 02 '14 at 12:17
It is supposed to return the products which met the criteria but I don't think that `like` is the right operator to use here. Other problem, your source code is SQL injection vulnerable! — PauloASilva, Dec 02 '14 at 12:21
How many rows it returns? If I get it, your query just echo the prices, right? Try adding an error_reporting(E_ALL) to check if there's some error... — Dimas Pante, Dec 02 '14 at 12:32
Another thing, your 'price' field is a DOUBLE, FLOAT or CHAR type? If it's a FLOAT, you have to filter it before the like: WHERE convert(decimal(20,10), price) LIKE '%$get_name%'"; — Dimas Pante, Dec 02 '14 at 12:41

PauloASilva · Answer 1 · 2014-12-02T17:26:20.220

The way you must be doing this is using PDO.

$dsn = 'mysql:dbname=testdb;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';

$dbh = new PDO($dsn, $user, $password);

$stmt = $dbh->prepare('
    SELECT
        *
    FROM product
    WHERE
        price >= :low
');

$stmt->bindParam(':low', $_POST['price']);

$stmt->execute();
// you can test the return value

while(($result = $stmt->fetch(PDO::FETCH_OBJ) !== false)
{
    // output the records
}

I wrote this inline so, most probably it wont work out of the box but it introduces you to PDO, Prepared Statements and how to address SQL INJECTION.

You're also encourage to filter and sanitize $_POST. Have a look on PHP filter_var functions

Filtering a Php Query in Dreamweaver

1 Answers1