0

I'm new to PHP. I'm trying to display search result based on user query. My issue is that I'm not getting all other similar search results (only the exact results are showing). Is it the right method I'm implementing from security point of view? Thanks in advance.

define('HOST','localhost');
define('USER','root');
define('PASSWORD_HOST','');
define('DATABASE','test');

if(defined('HOST') && defined('USER') && defined('PASSWORD_HOST') && defined('DATABASE')){
    $conn = mysqli_connect(HOST, USER, PASSWORD_HOST, DATABASE);


}else{
    die(connection_failed.mysqli_connection_error());
}

Here is HTML

<div class="container">
    <div class="row">
        <div class="col-sm-12">
            <form action="" method="POST">
            <h4>Search By</h4>
            <input type="text" name="delName"/>

            <button type="submit" name="submit">search</button>
            </form>
            </div>
        </div>
    </div>

Here is PHP

if(isset($_POST['submit'])){

        $delName = "%{$_POST['delName']}%";

    $stmt =$conn->prepare("SELECT id, delName, medName, contact1, contact2, address, pin, creditLimitDealer FROM dealerentrytable WHERE delName LIKE ?");

   $stmt->bind_param("s", $delName); 
   $stmt->execute(); 
   $stmt->bind_result($id, $delName, $medName, $contact1, $contact2,$address,$pin,$creditLimitDealer);

   while ($stmt->fetch()) {

     echo "<table>";
     echo "<tr><td>ID: $id</td>";
     echo "<td>delName: $delName</td>";
      echo "<td>medName: $medName</td>";
       echo "<td>contact1: $contact1</td>";
        echo "<td>contact2: $contact2</td>";
         echo "<td>address: $address</td>";
          echo "<td>pin: $pin</td>";
           echo "<td>creditLimitDealer: $creditLimitDealer</td></tr>";
     echo "</table>";




    }

     $stmt->close();

    }
    ?>
phpLover
  • 155
  • 1
  • 2
  • 14
  • If you want to search for `$delName` with wildcards, you need it to be `"%".$delName."%"`, or you can concat the wildcards in SQL, with `CONCAT('%', ?, '%')` - see https://dev.mysql.com/doc/refman/5.7/en/pattern-matching.html – Qirel May 16 '17 at 17:35
  • And check out http://stackoverflow.com/questions/18527659/php-mysqli-prepared-statement-like – Qirel May 16 '17 at 17:36
  • now it is showing the full table data...! don't know what is wrong.. – phpLover May 16 '17 at 17:41
  • You need to explain a bit better, with examples, what exactly are the results you want? What is the content of the database? Read the manual on `LIKE` in MySQL and it might clarify what that does. – Qirel May 16 '17 at 17:48
  • Ok, I will do that.. anyway is it the right method from security point of view? – phpLover May 16 '17 at 17:51
  • You're using prepared statements, so you're covered against SQL-injection. – Qirel May 16 '17 at 19:40

0 Answers0