-2

This is my code, I have one database with three tables(USA,FRANCE and INDIA). When a user select FRANCE in the dropdown,type a name in the input and click search It must search the input value in the selected dropdown table. example1. [if a user select USA and type Marvin, it must search Marvin in a table named USA] example2.[if a user select FRANCE and type SMITH, it must search SMITH in a table named FRANCE]

<select name="country">
<option value="USA">USA</option>
<option value="FRANCE">FRANCE</option>
<option value="INDIA">INDIA</option>
</select>
<input type='text' name='name'>
<input class="SearchButton" type="submit" name="submit" value="Search">

this is my php code 

<?php
$conn = mysql_connect("localhost", "root", "");
mysql_select_db("countries", $conn);
//search code
//error_reporting(0);
if($_REQUEST['submit'])
{
    $country = $_POST['country'];
    $name = $_POST['name'];
    if(empty($name))
    {
        $make = '<h4>You must type a word to search!</h4>';
    }
    else {
        $make = '<h4>No match found!</h4>';
        $sele = "SELECT * FROM '%country%' WHERE name LIKE '%$name%'";
        $result = mysql_query($sele);
        if($mak = mysql_num_rows($result) > 0){
            while($row = mysql_fetch_assoc($result)){
                echo 'you have selected'.$row['province'].;
            }
        } else {
            print ($make);
        }
        mysql_free_result($result);
        mysql_close($conn);
    }
}
?>
Max Play
  • 3,717
  • 1
  • 22
  • 39
Uncle Marvin
  • 27
  • 4
  • 1
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Aug 07 '17 at 12:48
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Aug 07 '17 at 12:49

2 Answers2

0

I see you used $_POST[] so I assume you're form method is "POST".

Escape your data like this:

$country = mysqli_real_escape_string($conn, $_POST['country']);
$name = mysqli_real_escape_string($conn, $_POST['name']);

Use this query:

$sele = "SELECT * FROM '".$country."' WHERE name LIKE '%".$name."%'"; 
// possibly will return more than one value since you are using a wildcard character '%'

or

$sele = "SELECT * FROM '".$country."' WHERE name = '".$name."'"; 
// this is specific and will return only one row

and this would be your echo:

echo "You have selected: ".$row['name']." of ".$country.".";

And please replace your mysql_... with mysqli_...

Jorz
  • 358
  • 5
  • 22
  • when I replace this with `$country = $_POST['country']; $name = $_POST['name'];` with `$country = mysqli_real_escape_string($conn, $_POST['country']); $name = mysqli_real_escape_string($conn, $_POST['name']);`it says Warning: mysqli_real_escape_string() expects parameter 1 to be mysqli, resource given in – Uncle Marvin Aug 11 '17 at 15:14
  • try to remove the $conn.. so it should be like this: mysqli_real_escape_string($_POST['country']) – Jorz Aug 14 '17 at 00:10
-1

You should change this:

$sele = "SELECT * FROM '%country%' WHERE name LIKE '%$name%'";

to this:

$sele = "SELECT * FROM ".$country." WHERE name LIKE '%".$name."%'";

And prevent sql injections using prepared statments

nacho
  • 5,280
  • 2
  • 25
  • 34