php wont return same as sql query

Question

ok, so I have a search script with is sort of working but I dont get the results I want.

when i run the query in php it doesnt result anything.

$searchStr = htmlspecialchars($searchStr); 
$sql = "SELECT * FROM steamitems WHERE steamid='" . $id . "' AND name LIKE '%".$searchStr."%'";
$r_query = mysqli_query($link, $sql);

but if I run the exact same output as $sql (SELECT * FROM steamitems WHERE steamid='76561198196240283' AND name LIKE '%sawed%') in phpmyadmin it returns the correct result..

EDIT: I forgot to mention that I obviously print the results here

while ($row = mysqli_fetch_array($r_query)){ 
      echo $row["assetid"];
      echo $row["name];
  }

Did you verify your variables contain the value you expect them to? I bet they don't. — John Conde, Apr 13 '17 at 17:02
Random advice: You are using double quotes `"` for your sql var. This means you can interpolate variables instead of concatenating them. You should do this as it becomes much easier to visually parse and see what is going on. eg `$sql = "SELECT * FROM steamitems WHERE steamid='{$id}' AND name LIKE '%{$searchStr}%'";` — amflare, Apr 13 '17 at 17:06
@JohnConde I did echo $sql and then copied that output and ran in phpmyadmin. The variables work. — user3187651, Apr 13 '17 at 17:08
Your code executes the query, but does not fetch and print out its results. — Shadow, Apr 13 '17 at 17:09
@Shadow I do, but the result is empty so it doesn't matter to show that part of the code. — user3187651, Apr 13 '17 at 17:12
And how should we know that you have that code, just decided not to include it? Pls do not assume that we know sg that you are not telling us! Your updated code does not have any error checking. Do you have that in your code? — Shadow, Apr 13 '17 at 17:17
No @amflare, you shouldn't do that at all. [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Apr 13 '17 at 17:42
@JayBlanchard - Of course. But this is not the time or place to rewrite that code according to modern standards. The risks you mention are the same whether OP follows my advice or not. I'm speaking more in a general manner when dealing with PHP and strings and variables. — amflare, Apr 13 '17 at 17:54
Let's not teach/propagate sloppy and dangerous coding practices @amflare. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). — Jay Blanchard, Apr 13 '17 at 17:55
@JayBlanchard - So is concatenation. Instead of trying to browbeat me for random advice, perhaps you should put that effort into educating OP. — amflare, Apr 13 '17 at 18:29
I did - notice the links I posted in response to you about SQL Injection attacks ;) If you think I am browbeating you, you are very mistaken. You would know it if I were. — Jay Blanchard, Apr 13 '17 at 18:39
I would say interpolation is sometimes ok for queries. It's not in this instance though. As for the actual issue here, everything you posted looks fine to me. I would make sure that `$link` is an active connection and I might even take the where out of the query just to see if it would return anything. — CptMisery, Apr 13 '17 at 18:39

php wont return same as sql query

0 Answers0