0

The Problem

I am creating a search that allows users to see if an enumber is vegan, but no matter what enumber I search, it is simply printing the word vegan when I search for a enumber. i want it to print out what is in the 'vegan' column in the database.

Code

<?php       
    // Connecting, selecting database
    $dbconn = pg_connect("host=***** port=*****
    dbname=***** user=***** password=*****")
    or die('Could not connect: ' . pg_last_error());

    //collect
    if(isset($_POST['search'])) {
        $searchq = $_POST['search'];
        // $searchq = preg_replace("#[^0-9a-z]#i"."".$searchq);

    // Performing SQL query
    $query = "SELECT vegan FROM enumbers WHERE code LIKE '%$searchq%'";
    $ret = pg_query($dbconn, $query);
   if(!$ret){
      echo pg_last_error($dbconn);
      exit;
   } 
   $output = '';
   while($row = pg_fetch_assoc($ret)){
            $code = $row['code'];
            $name = $row['name'];
            $type = $row['type'];
            $vegan = $row['vegan'];

            $output .= '<div> '.vegan.' ';
   }
}
   pg_close($dbconn);

?>
RushFan2112
  • 325
  • 2
  • 15

1 Answers1

2

You never define a variable name vegan but want to use it ? (if there's a typo on the line $output .= '<div> '.vegan.' '; (missing a $ ?)

And you never push any data in $output after setting it. Should be more like :

$output = ''; // there you define it

while($row = pg_fetch_assoc($ret)){
        $code = $row['code'];
        $name = $row['name'];
        $type = $row['type'];
        $vegan = $row['vegan'];

        // here you concatenate data

        $output .= "<div>$code / $name / $type / $vegan</div>";
}
echo"Vegan : $output"; // do we have all data ?

$searchq is never ever controlled and sanitized in your code.

NEVER trust user's data coming from inputs !

you should really consider using PPS : Prepared Parameterized Statements. This will help Preventing SQL injection

Community
  • 1
  • 1
OldPadawan
  • 1,247
  • 3
  • 16
  • 25