1

I'm trying to make an online searchable database. I want the user to be able to search for all entries by year, so if they want a specific year, there is a search box for that. If they want to input a range of years, I put two search boxes for that, which map to the variables "startyear" and "endyear." Here is my code in my php file:

<?php
$year=$_GET['year'];
$startyear=$_GET['startyear'];
$endyear=$_GET['endyear'];                    
$result = mysql_query(" SELECT * FROM DATABASE WHERE year(date_on_ledger) LIKE '%$year%' AND year(date_on_ledger) BETWEEN '%$startyear%' AND '%$endyear%' ");

This doesn't work, when I try putting in a start and end year, it gives me no results. I think it's because of the AND (it's trying to find years between start and endyear, that also match the normal year entry being empty). How should I go about fixing this so I can have both search options? Thanks!

Zonova
  • 235
  • 2
  • 8
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 20 '17 at 17:59
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 20 '17 at 17:59
  • What format is the `year` column? – Jay Blanchard Jun 20 '17 at 18:00
  • Try using OR instead of AND. Also, try removing the percentage from the $startyear and $endyear. – kaushik karan Jun 20 '17 at 18:04
  • I will look into PDO's, though I would like to figure out why this isn't working regardless, as it seems like a very basic idea. The year column stores everything as strings I believe. I tried removing the percent signs and using OR but that just made it output every entry in the database. – Zonova Jun 20 '17 at 18:32
  • Also, when I leave only the BETWEEN statement and take out the LIKE statement, it works fine. Similarly, having only the LIKE statement works fine. But when they're together, it doesn't work. – Zonova Jun 20 '17 at 18:41

1 Answers1

0

You should use OR instead of AND.

Yedidia
  • 969
  • 7
  • 12
  • When I do "$result = mysql_query(" SELECT * FROM DATABASE WHERE year(date_on_ledger) LIKE '%$year%' OR year(date_on_ledger) BETWEEN '%$startyear%' AND '%$endyear%' ");", it brings up every entry in the database. I think this is because it's matching everything that either contains "" or is between start and end year, and every entry contains "". – Zonova Jun 20 '17 at 18:23