0

I've encountered a problem where my php code doesn't seem to work, I have looked at it over and over again and I can't figure it out. I am working on a project which requires me to allow a potential user of my product (the website) to search for an event by type such as comedy or live band etc. This should allow a user to view all events of the type they type in to appear.

So far I have created this code:

<?php

//$output= NULL;

if(isset($_POST['submit'])){
    //connect db
    require_once('connect.php');
    $search = $_POST['search'];

    //query db
    $result = $mysqli->query("SELECT * FROM resit1617_events WHERE type = 
'$search'");

if($result->num_rows > 0){
    while($rows = $result->fetch_assoc())
    {
        $event = $rows['name'];
        $type = $rows['type'];
        $description = $rows['description'];
        $day = $rows['day'];
        $month = $rows['month'];
        $year = $rows['year'];
        $recommendations = $rows['recommendations'];
        $age = $rows['min_age'];

        $output ="Event: $event, Type: $type, Date: $day/$month/$year, Minimum Age: $age, Recommendations: $recommendations, Description: 
$description<br />";
        }
    }else{
        $output = "No Results";
    }
}
?>

Then I have my HTML code with php included to echo the output values but the code seems to not work 

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>The Welders Arms</title>
    <link rel="stylesheet" type="text/css" href="css/main.css">
</head>
<body>
    <div id="topbar">
        <p><img src="img/logo.png" alt="logo"></p>
    </div>
    <div id="wrapper">
        <form method="POST" action="search.php">
            <label id="searchheading">Search Events in The Welders Arms</label>
            <br>
            <input type="text" placeholder="Search by type of event e.g. live band, comedy etc.." id="type" name="search">
            <input type="submit" id="searchbutton" value="Search">
            <br>
        </form>
<?php echo $output; ?>
    </div>
</body>

</html>

If anyone knows a solution to why it could not work please let me know as this is holding me back from continuing onward with my project.

Thank You!

PS. All of the code is in one file called search.php

przbyr96
  • 3
  • 1
  • You don't have an input named `submit`. `if(isset($_POST['submit'])){` will never be true, because you don't have `name="submit"` in your submit button. – Qirel Jun 26 '17 at 21:06
  • fix that ^ then the huge security hole –  Jun 26 '17 at 21:08
  • You're already using an API that supports **prepared statements** with bounded variable input, you should utilize parameterized queries with placeholders (prepared statements) to protect your database against [SQL-injection](http://stackoverflow.com/q/60174/)! Get started with [`mysqli::prepare()`](http://php.net/mysqli.prepare). – Qirel Jun 26 '17 at 21:09
  • Possible duplicate of [PHP: "Notice: Undefined variable", "Notice: Undefined index", and "Notice: Undefined offset"](https://stackoverflow.com/questions/4261133/php-notice-undefined-variable-notice-undefined-index-and-notice-undef) – Qirel Jun 26 '17 at 21:13

2 Answers2

1

A simple solution would be to change your initial if:

if(isset($_POST['submit'])){

to:

if($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['search'])){

Which tests if your form was submitted with the right method and also tests if the search field exists.

You should also consider protecting yourself against mysql injection attacks with prepared statements or at the very least escaping strings manually:

$search = $mysqli->real_escape_string($_POST['search']);
Isac
  • 1,834
  • 3
  • 17
  • 24
0

You don't have an attibute named submit like this name="submit" because in your php script you have set it isset($_POST['submit'] which catches the post you are trying to submit..

Aaron Magpantay
  • 405
  • 1
  • 5
  • 17