1

I run this simple script to get results posted back to a android app, but when i use some keywords it will refuse to post back any results, however there is data in the database with matching keywords

script

<?php
error_reporting(E_ALL);
echo '{"results":';
if(!empty($_GET["name"]))
{
    $link = mysqli_connect("xxxxxxxxxxx", "xxxxxxxxxxx", "xxxxxxxxxxx", "xxxxxxxxxxx"); 
    if (!$link)
    {
        echo "Error: Unable to connect to MySQL." . PHP_EOL;
        echo "Debugging errno: " . mysqli_connect_errno() . PHP_EOL;
        echo "Debugging error: " . mysqli_connect_error() . PHP_EOL;
        exit;
    }       

    $query = "SELECT * FROM allart WHERE COMSCHRIJVING1 LIKE '%" . $_GET["name"] . "%' LIMIT 50";
    $result = mysqli_query($link, $query);



    if(!empty($result))
    {
        $i = 1;
        $data = array();
        while($row = mysqli_fetch_array($result))
        {

            $data[] = array(
                            "id" => $i, 
                            "name" => strtolower(ucfirst($row['COMSCHRIJVING1'])),
                            "article" => $row['CARTIKEL'],
                            "groep" => strtolower(ucfirst($row['CARTIKELGROEP'])),
                            "eenheid" => strtoupper($row['CEENHEIDVOORRAAD']),
                            );
            $i++; 
        }
        echo json_encode($data);
    }

    mysqli_close($link);        
} 
echo "}";   
die();
?>

Script is called like: http://blablabla.com/index.php?name=xxxxxx

Keywords like: "iso" are not posting any results

However when i run it in my sql

SELECT * FROM `allart` WHERE `COMSCHRIJVING1` LIKE '%iso%' 

Showing rows 0 - 24 (662 total, Query took 0.0028 seconds.)

All other keywords i try is posting results, but the one i really need is not working..

Why is this not working?

Thx in advance

Janvier123
  • 31
  • 8
  • As an aside, note that LIMIT without ORDER BY is fairly meaningless – Strawberry Jun 21 '16 at 17:23
  • 1
    Another aside, you should should be using prepared queries. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – bassxzero Jun 21 '16 at 17:24
  • 1
    You are vulnerable to [sql injection attacks](http://bobby-tables.com). Enjoy having your server pwn3d. – Marc B Jun 21 '16 at 17:35
  • Have you tried printing `$_GET["name"]` to make sure it looks the same as it does in your MySQL query? Could be getting modified somewhere or have unintentional spaces. – Aroic Jun 21 '16 at 17:39
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Jun 21 '16 at 17:52
  • Yes i know that its not safe, but iam on the only user – Janvier123 Jun 22 '16 at 04:55
  • Yes T Martin, ive used the echo command to output the $_GET value and its correct – Janvier123 Jun 22 '16 at 15:39

0 Answers0