-3

I'm trying to make a search engine but when I upload this code to my website I get

ERROR 003: An unknown error occurred.

I went to phpmyadmin and typed the SQL in the SQL tab and I got the right results but when I uploaded it to my website it didn't work.

<?PHP

    global $output;
    if(isset($_POST['submit'])){
            if(!empty($_POST)) {
            //Connect to DB
            $conn = new mysqli('localhost', 'username', 'password', 'search')or die('ERROR 001: Something went wrong while connecting to MySQL server.');

            if ($conn->connect_error) {
                die("Connection failed: " . $conn->connect_error);
            }

            $search = $_POST['searchBar'];

            $result = $conn->query('SELECT * FROM websites WHERE url LIKE "%$search%" OR title LIKE "%$search%"')or die('ERROR 002: Something is wrong with you SQL.');

            if(!$result->num_rows == 0) {
                while($row = $result->fetch_assoc()) {
                    $title = $row['title'];
                    $url = $row['url'];
                    $id = $row['id'];

                    $output .= '<a href="' . $url . '" target="_blank">' . $title . '</a><br><br>';
                }
            } else {
                $output = 'ERROR 003: An unknown error occurred.';
            }
        }
    }

?>

<?PHP 

    require('search.php');

 ?>

<!DOCTYPE HTML>
<HTML lang = "en">
    <head>
        <meta charset = "UTF-8">
        <meta name = "description" content = "null">
        <meta name = "author" content = "Adam Oates">
        <meta name = "title" content = "Search Engine">
        <title title = "Gigaboy Search Engine">
            Gigaboy Search Engine
        </title>
        <link rel = "apple-touch-icon" href = "">
        <link rel = "shortcut icon" href = "">
        <link rel = "stylesheet" type = "text/css" href = "main.css">
        <script type = "text/javascript" src = "http://code.jquery.com/jquery-2.1.4.js"></script>
        <script type = "text/javascript" src = "main.js"></script>
    </head>
    <body>
        <header>

        </header>

        <section id = "mainIndex">
            <div align = "center">
                <form action = "index.php" method = "post">
                    <input type = "text" name = "searchBar" placeholder = "Search the Web" autocomplete = "off">
                    <input type = "submit" name = "submit" value = "Search">
                </form><br><br>
                <?PHP echo $output; ?>
            </div>
        </section>

        <footer>

        </footer>
    </body>
</HTML>
mega6382
  • 9,211
  • 17
  • 48
  • 69
Adam Oates
  • 115
  • 1
  • 2
  • 7
  • 1
    That means `$result->num_rows == 0` is `true`. It's right in your own code... – Mike Jan 22 '16 at 22:12
  • I know `$result->num_rows == 0` is `true` I need it to be `false`. – Adam Oates Jan 22 '16 at 22:13
  • what happens if you change your if logic to `if ($result->num_rows > 0){...}` ? – Andrew Coder Jan 22 '16 at 22:15
  • try `var_dump($result);` in the `else-clause`. And see what you get. – mega6382 Jan 22 '16 at 22:17
  • Also, what happens if you encapsulate the query in `"` and use `'` to indicate values to search for? The way you wrote it is backwards from every sql statement I've ever written. It may also help to encapsulate table and column identifiers in `\`` – Andrew Coder Jan 22 '16 at 22:17
  • I tried the 3rd comment and I get the same results. :( – Adam Oates Jan 22 '16 at 22:18
  • I get the text NULL which means nothing in code when I tryed the 4th comment – Adam Oates Jan 22 '16 at 22:20
  • Also as datelligent says, your code (once you fix it) will be open to SQL injection. You need to address that or you are leaving your website open to get hacked. Use prepared statements with bound variables. – Mike Jan 22 '16 at 22:21
  • Wow. Using MySQLi and then just dropping the user inputs just in the query. Hello `"; DROP DATABASE;`. Migrate directly to PDO and start using Prepared Statements with binding parameters. (Yeah, I know MySQLi has Prepared Statements, but PDO has a better Integration of Prepare Statements. MySQLi's Prepares are sketchy.) – Charlotte Dunois Jan 22 '16 at 22:26
  • 1
    @CharlotteDunois There's nothing "sketchy" about mysqli. The only difference is that PDO supports named parameters. – Mike Jan 22 '16 at 22:29
  • I'm using prepared statement now I changed it. – Adam Oates Jan 22 '16 at 22:31
  • I tried replacing the code `"%$search%"` to `"%Web Design%"` and it worked but when I changed it back it didn't work so it has something to do with the variable `$search`. – Adam Oates Jan 22 '16 at 22:34

1 Answers1

0

When executing the MYSQL query use the schema prefix:

 SELECT * FROM [SCHEMA].websites WHERE url LIKE '%".$search."%' OR title LIKE '%".$search%."';

And place correctly the search variables, as I put in the query.

I recommend to use PREPARED STATEMENTS that way you avoid SQL INJECTIONS.

digitai
  • 1,870
  • 2
  • 20
  • 37
  • 1
    Why do you have `[SCHEMA]` in brackets? This is MySQL, not SQL-Server. – Barmar Jan 22 '16 at 23:01
  • Brackets are used as a placeholder where the string instructed to be placed, should be placed. – digitai Jan 23 '16 at 00:30
  • 1
    Why do you think he needs to specify the schema name? He has the database name specified in the call to `new mysqli()`. – Barmar Jan 23 '16 at 00:32