why isn't my search working?

Question

I'm trying to get the php code to search the database and return all the matching "park_name"s but it says that the search variable is undefined and also only returns one park from the database. This is the code I have for the search:

<form method="post" action="Search_page.php" name="search" id="Search">
<label for="search">Search:</label><input type="text" name="Search" id="search" />
<input type="submit" name="submit" value="Search"/>
</form>
<?php 
if(isset($_POST['search'])){
$search = $_POST['search'];
$search = preg_replace("#[^0-9a-z]i#","", $search); }
$sql="SELECT Park_name, street FROM park_list WHERE park_name LIKE '%$search%'"; 
//query db
$result = $db->query($sql);
?>
</div>
<?php while ($row = $result->fetch_assoc()) { ?>
<div class="results">
<h2><?php echo $row['Park_name']?></h2> </br>
<p><?php echo $row['street']?></p>
</div>
<?php } ?>

Try to interrupt your string and concat. Or add {} like this : " '%{$search}%' " — Xenofexs, May 31 '17 at 12:42
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 31 '17 at 12:48
Grace; I'm not sure if you saw any of the answers, but I did notice something else about your code to which I did made a new edit to it and you will need to [reload my answer](https://stackoverflow.com/a/44285064/1415724) in order to see what was added. — Funk Forty Niner, May 31 '17 at 12:54
If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* — Jay Blanchard, May 31 '17 at 16:17

Funk Forty Niner · Accepted Answer · 2017-05-31T13:01:18.453

Because, Search != search.

Error reporting told you about it too.

Btw, != is the logical operator for "does not equal" ;-)

Those are case-sensitive.

By the way; do yourself a favor and use a prepared statement if you want to save/keep your database.

https://en.wikipedia.org/wiki/Prepared_statement

and check for errors on the query, should it fail using mysqli_error($db).

You're also using a name attribute here in conjunction with the POST array of the same name:

<form method="post" action="Search_page.php" name="search" id="Search">
                                             ^^^^^^^^^^^^^
                                             Remove that ^

and rename name="Search" for the input to name="search".

where you thought would pan out, which it won't. Your search is relying on the input's name attribute (and the input itself). Forms generally do not use name attributes.

You need to remove it.

Side note: It's usually best to use a !empty() < (not empty) for a user input, instead of isset(). The latter is mostly used for radios/checkboxes/submit inputs.

this is helpful but the results section only display one results and shows before I searched, do you know how i might fix this? — Grace Charlotte Andersen-Solas, Jun 01 '17 at 02:53

score 1 · Answer 2 · answered May 31 '17 at 12:38

1

Form field names are case sensitive.

Change your second line to

<label for="search">Search:</label><input type="text" name="search" id="search" />

answered May 31 '17 at 12:38

Geoff Atkins

1,693
1
17
23

score 0 · Answer 3 · answered May 31 '17 at 12:38

0

I don't have rep to comment yet, but Park_name should be lowercase. You have inconsistent case in the sql statement:

$sql="SELECT Park_name, street FROM park_list WHERE park_name LIKE '%$search%'";

answered May 31 '17 at 12:38

`Park_name`? Thats the column name. – Rotimi May 31 '17 at 12:40
1

column names in a query and most of the time are not case-sensitive and will only depend on the db's collation, only in a loop will they be – Funk Forty Niner May 31 '17 at 12:46
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 31 '17 at 12:47
Yea, I looked into it and @Fred-ii- is right. The syntax for the statement should be `SELECT FROM WHERE LIKE '%".$search."%'`. But column names are not case-sensitive. On unix/linux table and database names are. And on windows neither table, database, nor column names are case sensitive. – May 31 '17 at 12:49
@JayBlanchard of course you don't want to be dynamically building queries. He should be using prepared statements as Fred -ii- suggests. But the discussion here is more centered on the inconsistent case, which makes the statement less readable and more confusing for someone trying to debug it – May 31 '17 at 12:51
I get that, but let's not teach/propagate sloppy and dangerous coding practices (an ongoing battle in PHP answers on Stack). If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard May 31 '17 at 12:52
I will concede that my answer would have been more apt as a comment. But as I explained in the answer, I do not yet have enough reputation to comment. Nevertheless, I do feel like my answer led to a useful dialog on the importance of consistent case, and I see nothing wrong with supplementing existing answers on the importance of PDO statements with the importance of consistent casing and clean code. – May 31 '17 at 13:00
[It's not hard to earn enough rep to make comments.](http://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead) And you could improve your answer to A.) demonstrate more consistent case and 2.) show the correct concepts for administering the query. Just trying to help you construct better answers. ¯\\_(ツ)_/¯ Stack Overflow is not about useful dialog, that is not how it is set up. It *is* about useful answers. – Jay Blanchard May 31 '17 at 13:03

why isn't my search working?

3 Answers3