-2

I am trying to do "search user by name button" to search the user's database, is show "Result Error" cannot get the user details. I don't know which part got problem. Please help me. Every help would be appreciated. Here is my code.

manageruser.php

<?php 
include("include/config.php");

   $name = "";
   $username = "";
   $password = "";
   $ic = "";
   $contact = "";
   $email = "";
   $nationality = "";
   $program = "";
   $firstintake = "";

   function getPosts()
   {
       $posts = array();
       $posts[0] = $_POST['name'];
       $posts[1] = $_POST['username'];
       $posts[2] = $_POST['password'];
       $posts[3] = $_POST['ic'];
       $posts[4] = $_POST['contact'];
       $posts[5] = $_POST['email'];
       $posts[6] = $_POST['nationality'];
       $posts[7] = $_POST['program'];
       $posts[8] = $_POST['firstintake'];
       return $posts;
   }

// Search
   if(isset($_POST['search']))
   {
       $data = getPosts();

       $search_Query = "SELECT * FROM user WHERE u_name = $data[0]";

       $search_Result = mysqli_query($link, $search_Query);

       if($search_Result)
       {
          if(mysqli_num_rows($search_Result))
          {
            while($row = mysqli_fetch_array($search_Result))
            {
                $name = $row['u_name'];
                $username = $row['u_unm'];
                $password = $row['u_pwd'];
                $ic = $row['u_ic'];
                $contact = $row['u_contact'];
                $email = $row['u_email'];
                $nationality = $row['u_national'];
                $program = $row['u_program'];
                $firstintake = $row['u_fintake'];
            }
          }
          else
          {
            echo "No Data For This Name";
          }
       }
       else
       {
        echo "Result Error";
       }
   }

?>

<fieldset>
<legend>Manage User</legend>
<form name="ManForm" method="post" action="manageuser.php">
<table>
    <tr>
        <td>Name:</td>
        <td><input id="name" name="name" type="text" class="input" pattern="[A-Z\s]+" 
        title="Please enter capital letters" value="<?php echo $name; ?>">
        <span>(Full name) *must capital letters</span></td>
    </tr>

    <tr>
        <td>Username:</td>
        <td><input id="username" name="username" type="text" class="input" value="<?php echo $username; ?>"></td>
    </tr>

    <tr>
        <td>Password:</td>
        <td><input id="password" name="password" type="password" class="input" value="<?php echo $password; ?>"></td>
    </tr>

    <tr>
        <td>Identity card /Passport number:</td>
        <td><input id="ic" name="ic" type="text" class="input" value="<?php echo $ic; ?>"></td>
    </tr>

    <tr>
        <td>Contact number:</td>
        <td><input id="contact" name="contact" type="text" class="input" value="<?php echo $contact; ?>"></td>
    </tr>

    <tr>
        <td>Email:</td>
        <td><input id="email" name="email" type="text" class="input" value="<?php echo $email; ?>"></td>
    </tr>

    <tr>
        <td>Nationality:</td>
        <td><input id="nationality" name="nationality" type="text" class="input" value="<?php echo $nationality; ?>"></td>
    </tr>

    <tr>
        <td>Program:</td>
        <td><input id="program" name="program" type="text" class="input" value="<?php echo $program; ?>"></td>
    </tr>

    <tr>
        <td>First intake:</td>
        <td><input id="firstintake" name="firstintake" type="text" class="input" value="<?php echo $firstintake; ?>"></td>
    </tr>
</table>

    <div>
        <input type="submit" name="search" value="  Search User By Name">
        <input type="submit" name="update" value="  Update User Details">
        <input type="submit" name="delete" value="  Delete User ">
    </div>

</form>
</fieldset>

config.php

<?php

    $link= mysqli_connect("localhost","root","","course_registration_system");

?>
Steven Chen
  • 13
  • 5
  • Clearly your query fails. That's why it enter else block of Result Error. – mehulmpt Mar 20 '17 at 12:07
  • 1
    Try `u_name = '{$data[1]}'` instead of `u_name = $data[0]`. – KIKO Software Mar 20 '17 at 12:08
  • 1
    You have no quote s around your string so your query fails. – John Conde Mar 20 '17 at 12:09
  • 2
    You don't know what's wrong because you don't check for errors in your code. Never assume the code is always going to work flawlessly. Use [`mysqli_error()`](http://php.net/manual/en/mysqli.error.php) to get a detailed error message from the database. – John Conde Mar 20 '17 at 12:09
  • you can also `echo $search_Query` to see what you get into it and then paste into your mysql fiddle. – Mittul At TechnoBrave Mar 20 '17 at 12:10
  • Please replace `echo "Result Error";` by `echo("Error: " . mysqli_error($link));` and tell us what error it gives. you most probably have a wrong column name or table name. – Lambasoft Mar 20 '17 at 12:12
  • What you are doing is really insecure, the code is vulnerable to SQL injections. You should use prepared statements instead, here is a link: https://www.w3schools.com/php/php_mysql_prepared_statements.asp – Petar Vasilev Mar 20 '17 at 12:13
  • @Lambasoft is show Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'RONALDO DOS SANTOS AVEIRO' at line 1 – Steven Chen Mar 20 '17 at 12:18
  • $search_Query = "SELECT * FROM user WHERE u_name = '".$data[0].""; Kindly, give it a try. Thanks. – user1544541 Mar 20 '17 at 12:18
  • You could also even use PREPARED STATEMENTS, so you don't ever have to worry again about missing quotes or over typos – Borjante Mar 20 '17 at 12:22
  • @JohnConde May I ask you the reason for which you decided to re-open this question? – Your Common Sense Mar 20 '17 at 13:07
  • @YourCommonSense Because the proposed duplicate does not explain to them what is wrong with their query. It merely tells them to use prepared statements. It's good advice but doesn't tell the OP thatthey are missing quotes in their SQL statement and that's *why* it failed. – John Conde Mar 20 '17 at 13:50
  • @JohnConde but the lack of prepared statements *is* what wrong with their query, no? It is not quotes that they missing but a prepared statement – Your Common Sense Mar 20 '17 at 13:51
  • @YourCommonSense It would solve their problem but they wouldn't know *how* it did. So it would end up being a cargo cult type fix as opposed to a learning experience. If the canonical question specifically pointed out that this solves the lack of quotes problem, in addition to all the other good stuff prepared queries brings, it would have been a good question to close this as a dupe for. I know I'd add it to my list of dupes to use as we see this kind of error a lot. – John Conde Mar 20 '17 at 14:00

2 Answers2

1

The problem here is that you are running your query wrong way.
To run your query you should be using a prepared statement.

It is very important to understand that simply adding quotes around a variable is not enough and will eventually lead to innumerable problems, from syntax errors to SQL injections. On the other hand, due to the very nature of prepared statements, it's a bullet-proof solution that makes it impossible to introduce any problem through a data variable.

So, for every query you run, if at least one variable is going to be used, you have to substitute it with a placeholder, then prepare your query, and then execute it, passing variables separately.

First of all, you have to alter your query, adding placeholders in place of variables. Say your query will become like this

"SELECT * FROM user WHERE u_name = ?"

then you will have to prepare it, bind variables, and execute

So you should be doing like this

$stmt = $link->prepare("SELECT * FROM user WHERE u_name = ?");
$stmt->bind_param("s", $data[0]);
$stmt->execute();
$result = $stmt->get_result();
while($row = $result->fetch_array())
{
Dharman
  • 30,962
  • 25
  • 85
  • 135
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
-2

Use quote around your search string in query or try this instead -

$search_Query = "SELECT * FROM user WHERE u_name = '" .$data[0]."'";

Rajnesh Rajput
  • 1
  • 3
  • *Why* will this "work fine"? Code dumps do not make for good answers. You should explain how and why this solves their problem. You should read, "[How do I write a good answer?"](http://stackoverflow.com/help/how-to-answer) – John Conde Mar 20 '17 at 12:23