-3

This code I'm using works fine but when I tried to query with a where clause, it looks like it doesn't work, it still displays all the data though I put a condition already. I also tried changing the way I put the where clause, but it says "no data found in the server" so I put the code back to its original form. I also tried putting a specific where clause like "where client = 'eadept'" but it still shows all details. This is my code.

session_start();
/* Database connection start */
$servername = "localhost";
$item = "root";
$password = "";
$dbname = "sample";

$conn = mysqli_connect($servername, $item, $password, $dbname) or die("Connection failed: " . mysqli_connect_error());

/* Database connection end */


// storing  request (ie, get/post) global array to a variable  
$requestData = $_REQUEST;


$columns = array(
    // datatable column index  => database column name
    0 => 'facility',
    1 => 'title',
    2 => 'start',
    3 => 'end',
    4 => 'fee',
    5 => 'status'


);
$uname = ($_SESSION['username']);
// getting total number records without any search
$sql = "SELECT facility, title, start, end, fee, status ";
$sql .= " FROM reservation WHERE client = '$uname'";

$query = mysqli_query($conn, $sql);
$totalData = mysqli_num_rows($query);
$totalFiltered = $totalData; // when there is no search parameter then total number rows = total number filtered rows.


$sql = "SELECT facility, title, start, end, fee, status ";
$sql .= " FROM reservation WHERE 1=1";
if(!empty($requestData['search']['value'])) { // if there is a search parameter, $requestData['search']['value'] contains search parameter
    $sql .= " AND ( facility LIKE '" . $requestData['search']['value'] . "%' ";
    $sql .= " OR title LIKE '" . $requestData['search']['value'] . "%' ";
    $sql .= " OR fee LIKE '" . $requestData['search']['value'] . "%' )";

}
$query = mysqli_query($conn, $sql);
$totalFiltered = mysqli_num_rows($query); // when there is a search parameter then we have to modify total number filtered rows as per search result. 
$sql .= " ORDER BY " . $columns[$requestData['order'][0]['column']] . "   " . $requestData['order'][0]['dir'] . "  LIMIT " . $requestData['start'] . " ," . $requestData['length'] . "   ";
// $sql.="WHERE client = 'eadept'";
/* $requestData['order'][0]['column'] contains colmun index, $requestData['order'][0]['dir'] contains order such as asc/desc  */
$query = mysqli_query($conn, $sql);

$data = array();
while($row = mysqli_fetch_array($query)) { // preparing an array
    $nestedData = array();


    $nestedData[] = $row["facility"];
    $nestedData[] = $row["title"];
    $nestedData[] = $row["start"];
    $nestedData[] = $row["end"];
    $nestedData[] = $row["fee"];
    $nestedData[] = $row["status"];


    $data[] = $nestedData;
}



$json_data = array(
    "draw" => intval($requestData['draw']), // for every request/draw by clientside , they send a number as a parameter, when they recieve a response/data they first check the draw number, so we are sending same number in draw. 
    "recordsTotal" => intval($totalData), // total number of records
    "recordsFiltered" => intval($totalFiltered), // total number of records after searching, if there is no searching then totalFiltered = totalData
    "data" => $data // total data array
);

echo json_encode($json_data); // send data as json format

I'm referring to the query under the array. Can anyone please help and tell what to change so it will work?

user8540439
  • 47
  • 1
  • 9
  • 1
    What does this have to do with Java? – Don't Panic Sep 28 '17 at 14:15
  • Very hard to read. No wonder you can't figure it out. – duffymo Sep 28 '17 at 14:16
  • Oh yeah, sorry. I forgot to mention that I'm calling this code to another form. And I'm using java in there. – user8540439 Sep 28 '17 at 14:17
  • 1
    [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a function for](http://paragoncds.com/grumpy/pdoquery/#function) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton Sep 28 '17 at 14:20
  • There are 2 queries in your code. Do you mean the first one? I'd suggest to use a direct sql console to the database or something like phpMyAdmin to test your queries and see what is going on there. Maybe it's just that all your data matches the WHERE-selection :) – lupz Sep 28 '17 at 14:24
  • I tried to put the same query on phpMyAdmin and it works. And yeah, the first one. – user8540439 Sep 28 '17 at 14:25
  • 1
    Print generated $sql variables before executing them, check if they contain expected values. Add SQL to your question if you haven't figured it out. – Naktibalda Sep 28 '17 at 14:27

1 Answers1

0

I noticed that I'm just putting the query on a wrong place. This is the right code to do the WHERE clause.

$uname = ($_SESSION['username']);
// getting total number records without any search
$sql = "SELECT facility, item, start, end, fee, status ";
$sql.=" FROM reservation";

$query=mysqli_query($conn, $sql);
$totalData = mysqli_num_rows($query);
$totalFiltered = $totalData;  // when there is no search parameter then total number rows = total number filtered rows.


$sql = "SELECT facility, item, start, end, fee, status ";
$sql.=" FROM reservation WHERE client = '$uname'";
if( !empty($requestData['search']['value']) ) {   // if there is a search parameter, $requestData['search']['value'] contains search parameter
 $sql.=" AND ( facility LIKE '".$requestData['search']['value']."%' ";    
 $sql.=" OR item LIKE '".$requestData['search']['value']."%' ";
 $sql.=" OR fee LIKE '".$requestData['search']['value']."%' )";
 // $sql.=" OR item LIKE '".$requestData['search']['value']."%' )";
 // $sql.=" OR start LIKE '".$requestData['search']['value']."%' )";
 // $sql.=" OR end LIKE '".$requestData['search']['value']."%' )";
 // $sql.=" OR fee LIKE '".$requestData['search']['value']."%' )";
 // $sql.=" OR status LIKE '".$requestData['search']['value']."%' )";
}
$query=mysqli_query($conn, $sql);
$totalFiltered = mysqli_num_rows($query); // when there is a search parameter then we have to modify total number filtered rows as per search result. 
$sql.=" ORDER BY ". $columns[$requestData['order'][0]['column']]."   ".$requestData['order'][0]['dir']."  LIMIT ".$requestData['start']." ,".$requestData['length']."   ";
// $sql.="WHERE client = 'eadept'";
/* $requestData['order'][0]['column'] contains colmun index, $requestData['order'][0]['dir'] contains order such as asc/desc  */ 
$query=mysqli_query($conn, $sql);
user8540439
  • 47
  • 1
  • 9