2

I am new to PHP/MYSQLI and I am having trouble creating a simple search to search my database. The columns in my database are: 'ID' , 'Name' , 'Age'. The name of my database is 'users' and the table name is 'employees'.

Here is the code:

<?php require('Connections/Localhost.php'); ?>
<?php
if (isset($_POST['Search'])) {
    $search = $_POST['element'];
    $sql = mysqli_query("SELECT * FROM employees WHERE Name = '$search' ");
    if($sql->num_rows > 0 ) {
        while($rows = $sql->fetch_assoc()) {
            $id = $rows['ID'];
            $name = $rows['Name'];
            $age = $rows['Age'];
            echo "ID: $id <br> Name: $name <br> Age: $age <br>";
        }
    }
    else {
        echo "No Result Found!";
    }
}
?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>
<body>
<form method="post">
<input type="text" name="element" placeholder="Enter A Name"/>
<input type="button" name="Search" value="Search" />
</form>
</body>
</html>

It just returns a blank page and nothing else. I want the user to enter a name in the text area of the form and on clicking the Search button all the data corresponding to that name from the database should be displayed on the webpage. Please correct me where I made the mistake.

Pupil
  • 23,834
  • 6
  • 44
  • 66
Bitan Basak
  • 61
  • 9
  • function [`mysqli_query`](http://php.net/manual/en/mysqli.query.php) also needs the connection argument (the procedural interface), it's stated in the manual and at least **turn on** your error reporting – Kevin Jan 20 '16 at 03:54
  • There is an error in your mysqli_query function and you need to specify two arguments. Try debugging the code first – Pooya Jan 20 '16 at 03:59
  • you need to use prepared statements in order to prevent [SQL-injections](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Because right now your code is open to SQL-injections. – BRoebie Jan 20 '16 at 13:50
  • @BRoebie Yes, I know that my code is open to SQL-injection but as I said I am Just in the learning process right now but I will get to it soon enough. – Bitan Basak Jan 20 '16 at 13:58
  • Very good, I'd say one step at the time ;) for me I'd like to use prepared statements no matter the situation even if it for an intranet application. Because some colleague came to me(I am an intern btw at this company) and he tried to convince me that I don't need to implement this(which is of course a huge load of BS). Because of user restrictions. Which of course has nothing to do with it xD. – BRoebie Jan 20 '16 at 14:15
  • @BRoebie Now since this code is working like charm. Can you suggest me how to make this code safe from SQL-injections? – Bitan Basak Jan 20 '16 at 14:28
  • I'll leave an answer below. – BRoebie Jan 20 '16 at 14:47

2 Answers2

3

You need to change button type to submit.

Your form is not posting.

Change

<input type="button" name="Search" value="Search" />

To:

<input type="submit" name="Search" value="Search" />

Also, mysqli_query() needs database connection resource.

You have given only sql query.

$sql = mysqli_query($databaseConnection, "SELECT * FROM employees WHERE Name = '$search' ");

mixed mysqli_query ( mysqli $link , string $query [, int $resultmode = MYSQLI_STORE_RESULT ] )

Reference

Pupil
  • 23,834
  • 6
  • 44
  • 66
0

As per request of OP here I will explain the general concept of a Prepared statement in mysqli feel free to edit this if you feel I did not elaborated on a topic.

  1. The first thing you need to do is prepare the query(preparing the query is sending an empty query to the database). But instead of defining the parameter you will put a question mark.

    1. After that you need to bind the parameters to the question marks In the exact order as in the query! The first thing you'll do is defining the type of the parameter string is s integer is i and blob is b. After that you'll need to define the variables with the data.

      1. And the third and final thing you'll need to do is executing the query. I always use it in an if statement because it will return a true or false and like this you can check if the query failed or not and handle the error. In this case you will not need an else because the page will die if the query returns false.

        /*1.*/
$stmt = $databaseConnection->prepare("SELECT * FROM `employees` WHERE `name` = ?"); 
/*2.*/
$stmt->bind_param("s",$search); 
/*3.*/
if(!$stmt->execute())
{
die("There went something wrong: " . $stmt->error);
}

Edit: here is the question explaining more about how to prevent SQL-injections.

Community
  • 1
  • 1
BRoebie
  • 374
  • 3
  • 13