0

I saw a piece of code online that allowed me to query a database for a name, and that worked. It currently sends the name, queries it and returns the result in a styled manor. However, I want to be able to send the data for name + email. I'm still fairly new to all this so an explanation would be appreciated :) Here is the code:

HTML Form:

<form id="searchform" class="form-horizontal" role="form" method="get">
  <div class="form-group">
    <label for="name" class="col-md-3 control-label">Name</label>
    <div class="col-md-9">
      <input type="text" class="form-control" name="name" id="name" placeholder="Name">
    </div>
  </div>
  <div class="form-group">
    <label for="email" class="col-md-3 control-label">Email</label>
    <div class="col-md-9">
      <input type="text" class="form-control" name="email" placeholder="Email">
    </div>
  </div>
  <div class="form-group">
    <!-- Button -->                                        
    <div class="col-md-offset-3 col-md-9">
      <button id="btn-search" type="submit" class="btn btn-info" value="send"><i class="fa fa-search" aria-hidden="true"></i> Search</button> 
    </div>
  </div>
</form>

Script within HTML:

<script type="text/javascript">
  $(function() {
  $("#searchform").bind('submit',function() {
    var value = $('#name').val();
    $.post('scripts/searchFunction.php',{value:value}, function(data){
      $("#show").html(data);
    });
    return false;
  });
});
</script>

searchFunction.php

<?php
include 'connection.php';
$name = $_POST['value'];
$query = 'SELECT * FROM `users` WHERE Username LIKE "%'. $name .'%"';
$result = $conn->query($query);
if($result ->num_rows > 0){
  while($row = $result->fetch_assoc()){
    echo '<div class="row">';
    echo '<div class="col-md-4">';    
    echo '';    
    echo '</div>';    

    echo '<div class="col-md-7 col-md-offset-1">';    
    echo $row['Username'];    
    echo '</div>';    
    echo '</div>';    
    echo '<hr class="section-spacer"/>';    
  }
}
?>
Mihailo
  • 4,736
  • 4
  • 22
  • 30
Chromatic
  • 87
  • 1
  • 1
  • 8
  • For each value you want to search you have to add to your AJAX values here `{value:value}` and then to your query here `$query = 'SELECT * FROM `users` WHERE Username LIKE "%'. $name .'%"';` – Jay Blanchard Jan 23 '17 at 19:52
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jan 23 '17 at 19:53
  • Can you give an example? Like {value:value1, value2} ? – Chromatic Jan 23 '17 at 19:53
  • `{name: name, id: id, etc.: etc.}` – Jay Blanchard Jan 23 '17 at 19:54
  • Yeah, this website won't go live and is just a test dummy for learning, I will get into more security aspects I'm just learning the basics with databases querying etc – Chromatic Jan 23 '17 at 19:54
  • I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Jan 23 '17 at 19:54
  • I do agree with your point, I will be looking at security during this project. Don't mistake what I said as in "Another project I'll do it". I will look into it all. For example: During this project I had no idea how to do password_hash and password_verify, but I did some research and have started implementing it into this project. The reason why I'm overlooking it now is because I want to understand what is in-front of me right now. I will look into your examples you've given me above and I do appreciate the information :) – Chromatic Jan 23 '17 at 19:57
  • Thank you Jay Blanchard, if you want to post an answer with your first comment + your example I'll verify it as the answer :) – Chromatic Jan 23 '17 at 20:00

1 Answers1

0

For each value you want to search you have to add to your AJAX values here {value:value} for example {name: name, email: email } where each identifier has a value.

Then to your query here 

$query = 'SELECT * FROM users WHERE Username LIKE "%'. $name .'%" AND Email LIKE LIKE "%'. $email .'%"' ;

Since you're using the $_POST array in your PHP page you should have access to each value that you send via AJAX in that array.

Basics of jQuery AJAX

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119