Search into database based on user input

Question

I am a newbie in PHP. I am working on searching function, but it does not work well and I could not find why. The problem is; the $query has been sent and accepted well however it could not find the $query in the database even though the $query existed. I think, the $sql command might be wrong somewhere, but could not find it anyway. Thank you.

Here is my code: asset_search.php

<?php
//Search data in database
$query = $_GET['query'];
$min_length = 3;

if(strlen($query) >= $min_length)
{
    //$query = htmlspecialchars($query);
    //$query = mysql_real_escape_string($query);
    $query = strtoupper($query);
    $sql = "SELECT * FROM asset WHERE ('asset_name' LIKE '%".$query."%')";
    $result = mysqli_query($conn, $sql);
    $row_cnt = mysqli_num_rows($result);

    $count = 0;

    if($row_cnt > 0)
    {
        echo "<table style='padding: 5px; font-size: 15px;'>";
        echo "<tr><th style='width: 30px; border: 1px solid black; align:'center''>No</th>";
        echo "<th style='width: 200px; border: 1px solid black; align:'center''>Status</th>";
        echo "<th style='width: 200px; border: 1px solid black; align:'center''>Asset Sub-identifier</th>";
        echo "<th style='width: 200px; border: 1px solid black; align:'center''>Asset Name</th>";
        echo "<th style='width: 200px; border: 1px solid black; align:'center''>Asset Type</th>";
        echo "<th style='width: 200px; border: 1px solid black; align:'center''>Brand</th>";
        echo "<th style='width: 200px; border: 1px solid black; align:'center''>Service Tag/ Product Tag/ Product S/N</th>";
        echo "<th style='width: 200px; border: 1px solid black; align:'center''>CSM Tag</th>";
        echo "<th style='width: 200px; border: 1px solid black; align:'center''>Action</th></tr>";

        while($row = mysqli_fetch_assoc($result))
        {
             echo "<tr><td align='center'>" . ++$count . "</td>";
             echo "<td align='center'>" . $row["asset_status"] . "</td>";
             echo "<td align='center'><a href='asset_viewfull.php?asset_id=" . $row["asset_id"] . "'><ins>" . $row["asset_subidentifier"] . "</a></ins></td>";
             echo "<td align='center'>" . $row["asset_name"] . "</td>";
             echo "<td align='center'>" . $row["asset_type"] . "</td>";
             echo "<td align='center'>" . $row["asset_brand"] . "</td>";
             echo "<td align='center'>" . $row["asset_sertag"] . "</td>";
             echo "<td align='center'>" . $row["asset_csmtag"] . "</td>";

             if($row["asset_status"] == "DISPOSE")
             {
                    echo "<td align='center'><a href='asset_delete.php?asset_id=" . $row["asset_id"] . "'>Delete</a>";
                    echo " ";
                    echo "<a href='asset_print.php?asset_id=" . $row["asset_id"] . "'>Print</a></td></tr>";
             }else
             {
                    echo "<td align='center'><a href='asset_editform.php?asset_id=" . $row["asset_id"] . "'>Edit</a>";
                    echo " ";
                    echo "<a href='asset_delete.php?asset_id=" . $row["asset_id"] . "'>Delete</a>";
                    echo " ";
                    echo "<a href='asset_disposeform.php?asset_id=" . $row["asset_id"] . "'>Dispose</a>";   
                    echo " ";
                    echo "<a href='asset_print.php?asset_id=" . $row["asset_id"] . "'>Print</a></td></tr>"; 
             }
        }

       }else
       {
          echo "<tr> There is no asset in the database </tr>";
       }
       echo "</table>";
}
else
{
    echo "<script languange = 'Javascript'>
            alert('Minimum length is' .$min_length);</script>";
}

//Close connection
mysqli_close($conn);
$count = 0;

?>

Could you run the query directly on the SQL console and see the result? `SELECT * FROM asset WHERE (asset_name LIKE '%your query string here%')` — Ahsan, Dec 01 '16 at 01:32
[hello SQL injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Sammitch, Dec 01 '16 at 01:40

score 0 · Answer 1 · answered Dec 01 '16 at 01:37

0

Change your query to the following:

SELECT * FROM asset WHERE (`asset_name` LIKE '%".$query."%')

Note the `` around asset_name instead of ''

answered Dec 01 '16 at 01:37

Ahsan

3,845
2
36
36

score 0 · Answer 2 · answered Dec 01 '16 at 01:39

0

you should try this without the brackets sometimes it trows out the search,

$sql = "SELECT * FROM asset WHERE `asset_name` LIKE '%{$query}%'";

this is how i preform this task and has never failed me yet!

answered Dec 01 '16 at 01:39

MasterT

623
1
9
23

Search into database based on user input

2 Answers2