-8

this is my search_candidate.php file 

<?php

   $name = $_GET['name'];
   $sql = "SELECT * FROM candidates WHERE Name = $name";
   $query = mysql_query( $sql );
          if(mysql_num_rows($query) == "")
          {
          echo "no result found";
          }
          echo "<table>";

          echo "<thead></thead>";
                while( $row = mysql_fetch_array( $query ) )
                     {
                      echo "<tr></tr>";
                     }
          echo "</table>";
?>
Rizier123
  • 58,877
  • 16
  • 101
  • 156
Akshay Patil
  • 1
  • Are you getting any syntex error? – Amit Verma Jan 23 '15 at 12:44
  • `$query = mysql_query( $sql ) or die(mysql_error());` and see the error you're not checking for. – Funk Forty Niner Jan 23 '15 at 12:49
  • 1
    **Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).** They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). **Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement)** instead, and **use [PDO](http://us1.php.net/pdo).** **[DANGER! You need to prevent SQL Injection!](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** – Jay Blanchard Jan 23 '15 at 15:27

3 Answers3

4
SELECT * FROM candidates WHERE Name = $name

$name is a string and needs to be in quotes like '$name'

But even after that fix you wont get anything because your loop doesnt print any data. It just opens and closes new rows without anything inside.

How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Hanky Panky
  • 46,730
  • 8
  • 72
  • 95
2

Try this code it will work.

<?php

   $name = $_GET['name'];
   $sql = "SELECT * FROM candidates WHERE Name = '$name'";
   $query = mysql_query( $sql );
          if(mysql_num_rows($query) == "")
          {
          echo "no result found";
          }
          echo "<table>";

          echo "<thead></thead>";
                while( $row = mysql_fetch_array( $query ) )
                     {
                      echo "<tr><td>".$row['name']."</td></tr>";
                     }
          echo "</table>";
?>

Copied code from question and make changes on 2 errors $name string must be in quotes and added <td>".$row['name']."</td> in your loop to show something.

Your code allow any one to inject so try to use PDO or MySQLi connection.

Huzoor Bux
  • 1,026
  • 4
  • 20
  • 46
  • @Fred-ii- People don't like help so.. – Huzoor Bux Jan 23 '15 at 12:50
  • I know the feeling. Must be having bad coffee. – Funk Forty Niner Jan 23 '15 at 12:50
  • @HuzoorBux Maybe you can also highlight where the error is and explain why you have to put `$name` in quotes, also don't understand how downvoted this – Rizier123 Jan 23 '15 at 12:53
  • @Rizier123 you are right my mistake. – Huzoor Bux Jan 23 '15 at 12:55
  • 1
    Please don't be judgmental about down-votes so fast. I'll tell you why this was down-voted. This answer took the pain to copy paste code from question and fix one string quotation mark and failed to realize that rest of the pasted code is still wrong, it doesn't output any data. All what this loop does is `echo "";` Does that produce the output? Why reproduce wrong code? – Hanky Panky Jan 23 '15 at 12:59
  • 1
    @Hanky웃Panky True true, but the fix is still partially there. OP needs to fix it and here too, but I agree. I hadn't noticed that originally. – Funk Forty Niner Jan 23 '15 at 13:02
  • Now that we know the reason, i'll retract the down-vote. – Hanky Panky Jan 23 '15 at 13:05
  • @Hanky웃Panky Thanks for pointing me i have fixed that error and add some more explanation in it. – Huzoor Bux Jan 23 '15 at 13:06
1

Seems name is string so add a quote to $name in query

$sql = "SELECT * FROM candidates WHERE Name = '$name'";

Note :- mysql_* has been deprecated use mysqli_* or PDO.

Rakesh Sharma
  • 13,680
  • 5
  • 37
  • 44