1

I'm wondering if anyone has a spare set of eyes for a moment or two. The problem I see lies with my issets. It is ignoring the first initial isset($lastName) and seems to always choose isset($title). Also I should mention the values are being posted from a HTML form to ssearch against a surname or title in a DB.

My question is, can anyone help with the logic problem or is there another way of doing so ? I know its prone to SQL injection too, however it's on a local DB and I'll be looking into this closely quite soon. If anyone can make suggestions I am definitely interested to hear them.

As per suggestion the HTML form.

<form name="lookup" method="post" action="searchEmployeeList.php" autocomplete="off">
<fieldset>
    <p>Conduct a search</p>
    <table width="600">
        <tr>
            <td width="150">Surname:</td>
            <td>
                <input type="text" name="lastName" value="" maxlength="25" placeholder="Employees surname">
            </td>
        </tr>
        <tr>
            <td width="150">Title:</td>
            <td>
                <input type="text" name="title" value="" maxlength="25" placeholder="Job role">
            </td>
        </tr>
        <tr>
            <td></td>
            <!--Blank row-->
            <td>
                <input type="submit" name="submit" value="Search now">

                <input type="submit" name="show_all" value="Show all">
            </td>
        </tr>
    </table>
</fieldset>
</form>

 if (isset($_POST['lastName'])) {

 include 'DBConDetails.php';

 if (isset($lastName)) {

     $sql = "SELECT * FROM employee_data Where last_name = '".$_POST['lastName'].
     "'";
 }
 if (isset($_POST['title'])) {

     $sql = "SELECT * FROM employee_data Where title = '".$_POST['title'].
     "'";
 }

 $result = mysqli_query($con, $sql);

 if ($result - > num_rows > 0) {

     echo "<table id = 'searchResults'> < tr >
         < td > ID < /td> < td > Name < /td> < td > Age < /td><td>Title</td > < td > Years of Service < /td> < td > Salary < /td> < /tr>";

     //multiple echos plainly for readability
     while ($row = $result - > fetch_assoc()) {
       echo '<tr>';
       echo '<td>' . $row["employee_id"] . '</td>';
       echo '<td>' . $row["first_name"] . ' ' . $row["last_name"] . '</td>';
       echo '<td>' . $row["age"] . '</td>';
       echo '<td>' . $row["title"] . '</td>';
       echo '<td>' . $row["yos"] . '</td>';
       echo '<td>' . $row["salary"] . '</td>';
       echo '</tr>';

     }
 } else {

     echo "I'm afraid we could not find any matches, try editing your criteria.";
 }
 echo "</table>";


}

If anyone should come across a similar problem in the future, the issue lay with both if statements being true, which lead to both executing and the latter overwriting the first if() statement. Should have noticed that !

morrisstu
  • 99
  • 1
  • 1
  • 9
  • suggestion? sure; post your HTML form to leave the guesswork out of it – Funk Forty Niner Oct 25 '15 at 20:04
  • If you enter LastName and Title it will always do the second `IF` which will overwrite the first!!! – RiggsFolly Oct 25 '15 at 20:04
  • @Bastiaan Your suggested edit http://stackoverflow.com/review/suggested-edits/9976787 **is worse!** - *sigh.* – Funk Forty Niner Oct 25 '15 at 20:07
  • @Fred-ii- Apologies, I just included it above a moment ago. Also disregard the two buttons as one displays all results as opposed to specific entries. – morrisstu Oct 25 '15 at 20:20
  • @RiggsFolly that's exactly what's happening as both statements are true, any suggestions on another way of putting it ? – morrisstu Oct 25 '15 at 20:22
  • @morrisstu I posted something for you below and I'm not sure if you saw it or not. I also made a few edits in the past 5 minutes. You will need to reload my answer to see the additional information I left in there. Do go over it in its entirety. – Funk Forty Niner Oct 25 '15 at 20:44

3 Answers3

1

I think you need to be checking:

isset($_POST['lastName']);

instead of

isset($lastName);

As the latter would be set, but be equal to some undefined value (Maybe empty string?). The same applies to your title variable.

JosephGarrone
  • 4,081
  • 3
  • 38
  • 61
0

First, I think it is better to check on if ($_SERVER['REQUEST_METHOD'] == 'POST')

See: $_POST vs. $_SERVER['REQUEST_METHOD'] == 'POST'

After that, you can check the $_POST variables with isset and maybe it can be helpful to check the variables with strlen too. When you use strlen, with trim you can remove the unnecessary spaces.

Example:

<?php
if($_SERVER['REQUEST_METHOD'] == "POST") {

    if(isset($_POST['lastName']) && strlen(trim($_POST['lastName'])) > 0) {
        // Do some action
    }
}
?>
Community
  • 1
  • 1
Perry
  • 153
  • 6
0

Firstly, you're overwriting your first query/conditional statement.

What you're telling it to do is, "if this is set, do this. If this is set, then do that".

What I feel you're probably looking to do is to check if both are set then passing those variables in your query in one go.

Such as and using !empty() instead of isset():

if (!empty($_POST['lastName']) && !empty($_POST['title']) ) {

    $lastName = $_POST['lastName'];
    $title = $_POST['title'];

    $sql = "SELECT * FROM employee_data 
            Where last_name = '" . $lastName . "' 
            AND title = '" . $title . "'";
}

If the goal here is to check for one OR the other (which looks to be the case), you can modify the above code to, and using the OR operator:

if (!empty($lastName) || !empty($title) ) {

    $lastName = $_POST['lastName'];
    $title = $_POST['title'];

    $sql = "SELECT * FROM employee_data 
            Where last_name = '" . $lastName . "' 
            OR title = '" . $title . "'";
}

and getting rid of:

if (isset($title)) {

    $sql = "SELECT * FROM employee_data Where title = '" . $title . "'";
}

Sidenote: The OR - || operator can also be used in a PHP conditional statement. && is AND; choose the one that is fitting for what you wish to achieve.

If my above throws you an error because of a character that MySQL is complaining about, such as apostrophes, then you will need to escape your data with mysqli_real_escape_string().

Sidenote: If you're going to use the above, make sure you're connected to your database first, and placing include 'DBConDetails.php'; as your first line above anything. It's usually good to be connected first.

Plus, your code is prone to an SQL injection. Use a prepared statement:

Plus, there is no opening PHP tag before if (isset($_POST['lastName'])) { statement; if that is your actual code.

It should read as

<?php 
    if (isset($_POST['lastName'])) {
...

Footnotes:

DBConDetails.php is unknown as to which MySQL API you're using. You need to use the same API from connection to querying. Different MySQL APIs do not intermix.

Check for errors against your query also:

If you want to seperate your submit buttons' actions

<input type="submit" name="submit" value="Search now">
<input type="submit" name="show_all" value="Show all">

You will need to use seperate conditional statements and using the related name attribute.

I.e.:

if (isset($_POST['submit'])) {
// do something, as in include other conditionals, code etc.
}

and

if (isset($_POST['show_all'])) {
// do something, as in include other conditionals, code etc.
}
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • gone to make/have dinner. Ping me later – Funk Forty Niner Oct 25 '15 at 20:56
  • 1
    That solved the issue, while I did not use the !empty() it did give me the idea to edit the isset() and sql statement which did give me the results I wanted. I was looking to check one OR the other so you were correct in covering that guess also. I have the conditional statements based on the forms attributes. Also the closing PHP tag was included just below in the code, I apologise for that. Thanks a million for the extra material too, comprehensive as always. – morrisstu Oct 25 '15 at 21:06
  • @morrisstu Glad to hear it. *Cheers* – Funk Forty Niner Oct 25 '15 at 21:07