0

I am trying to do table filtering using following code : Table is showing with all th inputs but when i select any name to search it is not accessible

<?php
 if ($_REQUEST["string"]<>'') {
$search_string = " AND (full_name LIKE '%".mysqli_real_escape_string($_REQUEST["string"])."%' OR email LIKE '%".mysqli_real_escape_string($_REQUEST["string"])."%')";   
}
if ($_REQUEST["city"]<>'') {
$search_city = " AND city='".mysqli_real_escape_string($_REQUEST["city"])."'";  
}

if ($_REQUEST["from"]<>'' and $_REQUEST["to"]<>'') {
$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE from_date >= '".mysqli_real_escape_string($_REQUEST["from"])."' AND to_date <= '".mysqli_real_escape_string($_REQUEST["to"])."'".$search_string.$search_city;
} 
else if ($_REQUEST["from"]<>'') {
$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE from_date >= '".mysqli_real_escape_string($_REQUEST["from"])."'".$search_string.$search_city;
} 
else if ($_REQUEST["to"]<>'') {
$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE to_date <= '".mysqli_real_escape_string($_REQUEST["to"])."'".$search_string.$search_city;
} 
else
{
$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE id>0".$search_string.$search_city;
}

$sql_result = mysqli_query ($connection,$sql) or die ('request "Could not   execute SQL query" '.$sql);
 if (mysqli_num_rows($sql_result)>0) {
while ($row = mysqli_fetch_assoc($sql_result)) {
?>
<tr>
  <td><?php echo $row["from_date"]; ?></td>
  <td><?php echo $row["to_date"]; ?></td>
  <td><?php echo $row["full_name"]; ?></td>
  <td><?php echo $row["email"]; ?></td>
  <td><?php echo $row["city"]; ?></td>
</tr>
<?php
    }
 } else {
 ?>
 <tr><td colspan="5">No results found.</td>
 <?php  
 }
 ?>
 </table>

What i want to do is when user selcts any city from drop-down or gives any name for search it should be found after clicking on filter option

Please help to resolve

Sohan Sonar
  • 111
  • 1
  • 3
  • 13

1 Answers1

-1

Because mysqli_real_escape_string() needs two parameters. first one should be link identifier and second one is your input.

But still, note that, your code is open for SQL injection, you must need to prevent your code with SQL attack, you can use Prepared Statement.

This will help you to prevent SQL attack: How can I prevent SQL injection in PHP?

Even, mysqli_real_escape_string() is not sufficient for all cases read this: PHP: Is mysql_real_escape_string sufficient for cleaning user input?

Community
  • 1
  • 1
devpro
  • 16,184
  • 3
  • 27
  • 38
  • So which function i have to use insted of mysqli_real_escape_string() ?? – Sohan Sonar Nov 16 '16 at 07:17
  • @SohanSonar: in your case, if u want to prevent with sql attack than explore prepared statement, if u want to ignore than just read the documentation of mysqli_real_escape_string() – devpro Nov 16 '16 at 07:18
  • @SohanSonar: u need to pass `$connection` in mysqli_real_escape_string() function as `mysqli_real_escape_string($connection,your request value)` – devpro Nov 16 '16 at 07:19
  • thnx for the information but for now i have sole this filtering problem of table , so could u please give me solution to it ? – Sohan Sonar Nov 16 '16 at 07:22
  • @SohanSonar: glad to help you sohan, now i am removing my answer, because someone downvote it and maybe i missed something – devpro Nov 16 '16 at 07:29
  • just because the u have expalined sql injection insted of real_escape_string, just answer it for adding $connection too. – Sohan Sonar Nov 16 '16 at 07:33
  • @SohanSonar: actually `link identifier` is a connection :) well happy to help u tc – devpro Nov 16 '16 at 07:36