How to hide display of SQL table in php before search?

Question

Posting my first question on this site.

I made a php webpage where the textbox will accept search keyword and when submitted, the row of that table will be displayed. Simple!

The catch is, Rrght now, before search, the whole table is displayed already on my php page. I don't want that. I want only the result after search, The table should not be displayed before searching (the test data table have 500 rows, but the actual table will have 15,000 rows).

The page (before search):

    <?php
            if(isset($_REQUEST['submit'])){
    $name=$_POST['name'];
    $email=$_POST['email'];
    $sql=" SELECT * FROM live_table WHERE name like '%".$name."%' AND company LIKE '%".$email."%'";
    $q=mysqli_query($con, $sql);
}
else{
    $sql="SELECT * FROM live_table";
    $q=mysqli_query($con, $sql);
}
?>
<form method="post" class="search">

   <table width="200">
  <tr>
    <td></td>
    <td><input class="form__input" type="search" autocomplete="off" name="name" placeholder="Name" value="<?php if(isset($name)) echo $name;?>" /></td>
    <td></td>
    <td><input class="form__input" autocomplete="off" type="search" name="email" placeholder="Company Name" value="<?php if(isset($email)) echo $email;?>" /></td>
    <td><input type="submit" name="submit" value=" Find " class="button"/></td>
  </tr>
</table>
</form>



<table width="70%" cellpadding="5" cellspace="5" style="margin: 3em 3em 3em 3em;">

            <tr>
                <td><strong>Salutation</strong></td>
                <td><strong>First Name</strong></td>
                <td><strong>Middle Name</strong></td>
                <td><strong>Last Name</strong></td>


            </tr>

<?php
    while($res=mysqli_fetch_array($q)){
    ?>
            <tr>
                <td><?php echo $res['id'];?></td>
                <td><?php echo $res['name'];?></td>
                <td><?php echo $res['company'];?></td>
                <td><?php echo $res['zip'];?></td>
                <td><?php echo $res['city'];?></td>
            </tr>

            <?php } ?>
            </table>

score 1 · Answer 1 · edited May 23 '17 at 12:13

First, your code is vulnerable against SQL injections : NEVER use raw user input in a SQL query (or anywhere else) see How can I prevent SQL injection in PHP?

You need to remove the query in the else block

else{
    $sql="SELECT * FROM live_table";
    $q=mysqli_query($con, $sql);
}

Then, before printing the lines of your table, add a test to check if $q is defined

<?php if (isset($q)) : ?>
    <?php while($res=mysqli_fetch_array($q)): ?>
        <tr>
            <td><?php echo $res['id'];?></td>
            <td><?php echo $res['name'];?></td>
            <td><?php echo $res['company'];?></td>
            <td><?php echo $res['zip'];?></td>
            <td><?php echo $res['city'];?></td>
        </tr>

    <?php endwhile; ?>
<?php endif; ?>

score -1 · Answer 2 · edited Jan 11 '17 at 10:00

  <?php
$dont_show = false;

            if(isset($_REQUEST['submit'])){
    $name=$_POST['name'];
    $email=$_POST['email'];
    $sql=" SELECT * FROM live_table WHERE name like '%".$name."%' AND company LIKE '%".$email."%'";
    $q=mysqli_query($con, $sql);
}
else{
  $dont_show = true;
}
?>
<form method="post" class="search">

   <table width="200">
  <tr>
    <td></td>
    <td><input class="form__input" type="search" autocomplete="off" name="name" placeholder="Name" value="<?php if(isset($name)) echo $name;?>" /></td>
    <td></td>
    <td><input class="form__input" autocomplete="off" type="search" name="email" placeholder="Company Name" value="<?php if(isset($email)) echo $email;?>" /></td>
    <td><input type="submit" name="submit" value=" Find " class="button"/></td>
  </tr>
</table>
</form>


<?php if(!$dont_show){ ?>
<table width="70%" cellpadding="5" cellspace="5" style="margin: 3em 3em 3em 3em;">

            <tr>
                <td><strong>Salutation</strong></td>
                <td><strong>First Name</strong></td>
                <td><strong>Middle Name</strong></td>
                <td><strong>Last Name</strong></td>


            </tr>

<?php
    while($res=mysqli_fetch_array($q)){
    ?>
            <tr>
                <td><?php echo $res['id'];?></td>
                <td><?php echo $res['name'];?></td>
                <td><?php echo $res['company'];?></td>
                <td><?php echo $res['zip'];?></td>
                <td><?php echo $res['city'];?></td>
            </tr>

            <?php } ?>
            </table>
<?php } ?>

Notice: Undefined variable: q in [filepath] Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, null given in [filepath] line 77 Ps: Line 77 is -------> while($res=mysqli_fetch_array($q)){ — user7403740, Jan 11 '17 at 09:45
You are f*king rude. But you are good!!! Thanks Mr. Snowden. :P I'll give you shelter to hide! — user7403740, Jan 11 '17 at 09:52

How to hide display of SQL table in php before search?

2 Answers2