I'm trying to search for a name in my MySQL database. It's not working...any suggestions?

Question

I'm using 000webhost for my php server and phpmyadmin for my database. I'm trying to make it so when you enter a username it outputs the password. Can anyone give me suggustions? that would be great!

My html:

<!DOCTYPE html>
<html>
<body>

<form action="Login.php" method="GET">
        <input type="text" name="query" />
        <input type="submit" value="Search" />
    </form>

</body>
</html>

My php:

<?php

$host='localhost';
$user='id1783920_123456';
$pass='';
$db='id1783920_mydb';

/* $pass is the password and I know that's not the problem, I just don't want to share it */ 

$con=mysqli_connect($host,$user,$pass,$db);
if($con) {
echo 'connected successfully to id1783920_mydb database';
}

$term = $_GET['query'];

$sql = "SELECT password FROM Signup WHERE CONCAT( username) LIKE '%$term%'";
$result = $con->query($sql);

if ($result->num_rows > 0) {    
$row = $result->fetch_assoc() 
echo "password: " . $row["password"];

} else {
echo "0 results";
}
$conn->close();

?>

Your query isn't in any code. Of course it's not going to work. — aynber, May 30 '17 at 16:07
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, May 30 '17 at 16:10
If I used this: $term = $search_array['term']; $query = $this->db->query("SELECT password FROM Signup WHERE CONCAT( username ) LIKE '%$term%'"); How would I connect it to my html form? — Jean Luc Picard, May 30 '17 at 16:13
Did you just change your name mid-question? Don't dump code in comments, edit your original post to add any new information. — Jay Blanchard, May 30 '17 at 16:13
What you're asking is PHP/MySQL 101 for which there are literally thousand's of tutorials and learning sites, like codecademy.com — Jay Blanchard, May 30 '17 at 16:16
oh...sorry, I'm new to php and I find having a conversation get me to understand much faster than looking it up, I'll try to find it out for myself, Thanks for your time. — Jean Luc Picard, May 30 '17 at 16:17

Arthur · Answer 1 · 2017-05-30T16:43:55.610

You could try this.

$mysqli = new mysqli($host,$user,$pass,$db);
if ($mysqli->connect_errno) {
  //error
}
$sql = "SELECT password FROM your_table WHERE user = $name";
if (!$result = $mysqli->query($sql)) {
  //something didn't go right   
}
if ($result->num_rows === 0) {
  //no result
}
//you should have the password in here
$password = $result->fetch_assoc();

$result->free();
$mysqli->close();

After connection to a database you should check if the connection was actually made and if not, what errors you get:

if ($mysqli->connect_errno) {
  var_dump($mysqli->connect_errno);
  var_dump($mysqli->connect_error);
}

You need to write the SQL somewhere, whether it's in a variable or directly in the query.

$sql = "SELECT password FROM your_table WHERE user = $name";

$mysqli->query($sql) - This will execute the query. If your code ends up in the if, I provided, something went wrong. So again, you can set a print there to see the errors.

if (!$result = $mysqli->query($sql)) {
  var_dump($mysqli->connect_errno);
  var_dump($mysqli->connect_error);
}

Check if there are any results.

if ($result->num_rows === 0) {
     echo "No results";
}

$result->fetch_assoc(); - This will 'fetch' the result. Which you can set to a variable:

$password = $result->fetch_assoc();

Then don't forget to free the result and close the connection:

$result->free();
$mysqli->close();

@Jay Blanchard , I was on mobile when I wrote the initial answer and it would have been a pain for me to actually complete the answer with explanations. — Arthur, May 30 '17 at 16:43
It doesn't matter the platform we're posting answers from and there is no way I, or anyone else could've known what platform you were posting from. The answer is the thing and we should avoid answering without explanation. ¯\\_(ツ)_/¯ — Jay Blanchard, May 30 '17 at 16:57

Vrajesh Doshi · Accepted Answer · 2017-05-30T16:31:36.483

0

Your PHP file should be as follows:

<?php

$host='localhost';
$user='id1783920_123456';
$pass='';
$db='id1783920_mydb';    

$con=mysqli_connect($host,$user,$pass,$db);
if($con) {
echo 'connected successfully to id1783920_mydb database';
}

$term = $_GET['query'];

$sql = "SELECT password FROM Signup WHERE CONCAT( username) LIKE '%$term%'";
$result = $con->query($sql);

if ($result->num_rows > 0) {    
$row = $result->fetch_assoc(); 
echo "password: " . $row["password"];

} else {
echo "0 results";
}
$conn->close();

?>

Happy Coding!

edited May 30 '17 at 16:31

answered May 30 '17 at 16:25

Vrajesh Doshi

744
2
8
27

Thanks! Do I have to change anything in the html file? – Jean Luc Picard May 30 '17 at 16:28
No Changes are required in HTML file – Vrajesh Doshi May 30 '17 at 16:29
Also I got this error with this code: Parse error: syntax error, unexpected 'echo' (T_ECHO) on line 22 – Jean Luc Picard May 30 '17 at 16:29
Just post your code, let me see, wats the problem – Vrajesh Doshi May 30 '17 at 16:30
Hey! I got it, I have edited the code, just replace your PHP code again. I had forgotten to give semicolon after $row = $result->fetch_assoc() – Vrajesh Doshi May 30 '17 at 16:32
K, I basically just copied what you gave me – Jean Luc Picard May 30 '17 at 16:33
Your Welcome. Please do upvote if it solved your problem. – Vrajesh Doshi May 30 '17 at 16:37
1

Note that this code is totally insecure and had SQL-injection. – kopaty4 May 30 '17 at 16:38
That's alright. Thanks again, This is what I've used this towards, if you want to see the final product: https://matthews2531.000webhostapp.com/Complete/Login_Signup.html – Jean Luc Picard May 30 '17 at 16:57
Let's not teach/propagate sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard May 30 '17 at 16:57
Why should the OP try this? A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. – Jay Blanchard May 30 '17 at 16:58
To add to what @Anton is saying: [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 30 '17 at 16:59

I'm trying to search for a name in my MySQL database. It's not working...any suggestions?

2 Answers2