-1

i am new to the programming world and i am working on a app with search feature. my problem is that the following code is not able to output the search data from the database. I am using require_once command to plug my database connection for this output via header.php.

Please help.

<!DOCTYPE html>
 <html lang=""> 

 <?php require_once('Include/Top.php');?>

<body>
  <?php require_once('Include/header.php'); ?>
<centre>
            <div class="searchboxsearch">
                <div class="row">
                    <div class="col-xs-12">
                       <br><br><br><br>
                        <form action="" method="get">
                        <div class="form-group">
                                <input type="text" id="usermame" class="form-control" name="username" placeholder="Search a Name">
                        </div>
                        <input type="submit" name="submit" class="btn btn-primary" value="Search"> 
                        </form>
                    </div>
                </div>
            </div>                 
                    <?php 
                    
                    $sname = $_GET['username'];
                    $terms = explode(" ", $sname);
                    
                    
                    foreach ($terms as $each)
                    {
                        $i++;
                        if ($i == 1)
                            $query .= "keywords LIKE '%$each%'";
                        else 
                            $query .= "keywords LIKE '%$each%'";
                    }   
                    $query = "SELECT * FROM feedback WHERE $query";

                    $srun = mysqli_query($connection, $query);

                       if (mysqli_num_rows($srun) > 0)
                          {
                               while($row = mysqli_fetch_assoc($srun))
                               {
                                   $name =ucfirst($row['fullname']);
                                   $date =$row['date']; 
                                    $feedback = $row['feedback'];
                                    
                                    echo "<h3> $name</a></h3>
                                    $feedback <br /> $stdate";
                                }
                           
                       }else 
                          {
                               echo " No result found";
                           }
            ?>

</centre>
<?php require_once('Include/footer.php'); ?>
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
</body>
</html>

Thankyou

KP

K.P
  • 1
  • what is the error you received? – MuthaFury Aug 16 '16 at 09:49
  • did u connect your database in other included files ? if so show us code or give us an error what you are getting – Mittul Chauhan Aug 16 '16 at 09:51
  • your code is horribly vulnerable to SQL-Injections. just imagine an username like `';DROP TABLE feedback;` (note the tabs to prevent splitting by a simple space) – Franz Gleichmann Aug 16 '16 at 09:51
  • yes its vulnerable.. use prepare statements or PDO – Mittul Chauhan Aug 16 '16 at 09:52
  • PDO alone does nothing to prevent injections. Prepared statements are needed and query needs to be parameterized. – chris85 Aug 16 '16 at 09:58
  • Hi everyone, thank you for your time in looking into my code. I know its pretty crap but i am working to improve it. Appreciate your honesty. Also, i am not getting any errors database wise as i am able to output data in other section of the page however, only the search query is not working. Any and all suggestions are appreciated. Thanks – K.P Aug 16 '16 at 10:29

1 Answers1

1

Your loop is not building valid SQL, if you have more than one search term you need to add an AND or OR between the LIKE clauses and of course a space.

foreach ($terms as $each)
{
    $i++;
    if ($i == 1)
        $query .= "keywords LIKE '%$each%'";
    else 
        $query .= " OR keywords LIKE '%$each%'";
} 

$query = "SELECT * FROM feedback WHERE $query";
$srun = mysqli_query($connection, $query);


// in future add a test after issuing any query to the database
// and echo the error, the messages are normally self explanatory
if ( $query === false ) {
    echo mysqli_error($connection);        
    exit;
}

However your script is at risk of SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared statement and parameterized statements

Community
  • 1
  • 1
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
  • Hi RiggsFolly, thankyou for looking into the code, i am still not able output the result but i think i must have made a rooky mistake in missing OR from the query. Also, thankyou for alerting me to SQL injection Attack. I am reading about it and working on preparing a code for that. In the mean while, is there anything you seen why my code will not produce result from database ? My DB is connected through header.php with $connection being the output for the database connection. Any help is appreciated. – K.P Aug 16 '16 at 10:24