mySQLi PHP database search on button click form

Question

I'm trying to implement a pretty simple search form to my homepage, but it does not completely work as I want it to..

It looks like the link from the form works good enough, and even the database search is working now, thanks to the latest updates.

The problem is: When the search is ready and the results are displayed (echo $output), I always see only one result, but I want all matches to be displayed..

Any suggestions?

Thanks in advance :)

Here comes the search.php file:

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
?>



<?php

    $conn = mysqli_connect("localhost", "user", "password", "table");

    if(mysqli_connect_errno() ) {
        echo "Failed to connect: " . mysqli_connect_error();
    }
?>


<?php

    $output = '';

    if(isset($_GET['query']) && $_GET['query'] !== ' ') {

        $searchquery = $_GET['query'];

        $query = mysqli_query($conn, "SELECT * FROM tbl_users WHERE username LIKE '%$searchquery%' OR email LIKE '%searchquery%'") or die(mysqli_error());

        $num_rows = mysqli_num_rows($query);


        if($num_rows== 0) {

                $output = 'No search results for <b>"' . $searchquery . '"</b>';

        } else {

            while($row = mysqli_fetch_array($query)){

                $id = $row['id'];
                $username = $row['username'];
                $email = $row['email'];

                $output = "<a href='profile.php?user=$id'>$username</a>";

            }

        }

    } else {

        header("location: ./");

    }


    print("$output");

    mysqli_close($conn);


?>

score 0 · Accepted Answer · edited May 23 '17 at 12:24

0

%$query% needs to be wrapped in single quotes inside your query string, like this:

SELECT * FROM tbl_users WHERE username LIKE '%$query%' OR email LIKE '%$query%'

But right now your code is vulnerable to SQL injection. You should probably look at fixing that next. See: How can I prevent SQL injection in PHP?

edited May 23 '17 at 12:24

Community

1
1

answered Nov 28 '16 at 19:01

Ian Drake

737
4
7

thanks, it works a little better now, i changed the code (see edit), but therefore i have a new error message: Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result. Which is not to bad, because that means the actual search is working. and thanks for the injection hint, but first i need to get this barely work ;) – maxischl Nov 28 '16 at 20:08
Looks like you just need to change `while($row = mysqli_fetch_array($searchquery)){` to use `$query` instead of `$searchquery`. – Ian Drake Nov 28 '16 at 21:12
thanks man, literally found the problem a minute ago, just used a wrong variable -.- silly. Thank you for checking this through!!! anyway, now i have another new problem -.- i want all matches to be displayed. but the results always show me only the result with the highes index... – maxischl Nov 28 '16 at 21:15
Instead of putting `print("$output");` towards the end where you currently have it, put `echo $output;` at the very end of the while loop, before the `}` but after this line: `$output = "$username";` – Ian Drake Nov 28 '16 at 21:25
Ian, you're amazing, so this is finally solved. I guess I can manage it from here :) Thanks a lot for your help Sir, I've been working on this for hours, already! – maxischl Nov 28 '16 at 21:34
Hmm, if I understand correctly, I think you're missing a `$` in front of `searchquery` in this part of the query: `OR email LIKE '%searchquery%'` – Ian Drake Nov 28 '16 at 21:39

mySQLi PHP database search on button click form

1 Answers1