-3

I am creating a search bar on my website so users can search for other users and it works but if I enter one username , all of the usernames show up. How can I only show the user I am looking for and if the user isn't registered give an else statement ?

search.php :

<?php
include("connect.php");

GLOBAL $usernam;

$output = '';

if(isset($_POST['Search'])) {

if (empty($_POST["searchbar"])) {
echo"You didn't enter anything . ";
} else {

$searchq = $_POST['Search'];
$searchq = preg_replace("#[^0-9a-z]#i", "",$searchq);

$query = mysqli_query($conn ,"SELECT * FROM users WHERE usernam LIKE '%$searchq%'") or die("Could not search");
$count = mysqli_num_rows($query);

 if($count == 0){

   echo "There was no search results . ";

 } else {

    while($row = mysqli_fetch_array($query)) {
        $usernam = $row['usernam'];
        $id = $row['id'];
        $output .= '<div>' .$usernam. '</div>';
    }

   }    
}
}
?>
<html>
<head>
<title>Interpage</title>
</head>
<body>

<?php print("$output");  ?>
</body>
</html>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Don't you want `$searchq = $_POST['searchbar'];` not `$searchq = $_POST['Search'];`? – Sean Dec 19 '16 at 02:14
  • `Search` is the name of my button . `searchbar` is the name of the search bar –  Dec 19 '16 at 02:16
  • Exactly. With `$searchq = $_POST['Search'];` you are searching for `"SELECT * FROM users WHERE usernam LIKE '%$_POST['Search']%'"` (your button), but I assume you actually want to search `"SELECT * FROM users WHERE usernam LIKE '%$_POST['searchbar']%'"` (your searchbar). That is why I recommend to change to `$searchq = $_POST['Search'];` (your searchbar value) – Sean Dec 19 '16 at 02:19
  • 2
    end the confusion, just post the results of `print_r($_POST);` –  Dec 19 '16 at 02:21
  • @Sean thanks it works . If this was an answer I would accept it for you –  Dec 19 '16 at 02:24
  • is it secure ?? –  Dec 19 '16 at 02:24
  • 1
    great now before you get hacked read : http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 –  Dec 19 '16 at 02:24

1 Answers1

2

Your issue is that you are currently searching the value of your button, not your search bar -

$searchq = $_POST['Search'];

You want

$searchq = $_POST['searchbar'];

In regards to your question - is it secure ??. No, it is not. This is the perfect time to read up on How can I prevent SQL injection in PHP?

At the bare minimum, you could use mysqli_real_escape_string()

$searchq = mysqli_real_escape_string($conn, $_POST['searchbar']);

but I would recommend to go a step further and learn how to use prepared statements/placeholders, ie.

$stmt = $conn->prepare("SELECT * FROM users WHERE usernam LIKE ?");
$stmt->bind_param('s', "%".$_POST['searchbar']."%");
$stmt->execute();
Community
  • 1
  • 1
Sean
  • 12,443
  • 3
  • 29
  • 47
  • I did this `$searchq = mysqli_real_escape_string($conn, $_POST['searchbar']); $query = mysqli_query($conn ,"SELECT * FROM users WHERE usernam LIKE '%$searchq%'") or die("Could not search"); $count = mysqli_num_rows($query);` –  Dec 19 '16 at 02:41