0

I'm trying to search for values from two different tables and combine the values. I need one more search form, and a way to multiply the values. I am a beginner.

By the way, I'm not getting any value; just "No records matching your query were found." The DB is fine!

Here's my code:

    <title>Search</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<?php
/* Attempt MySQL server connection. Assuming you are running MySQL
server with default setting (user 'root' with no password) */
$link = mysqli_connect("localhost", "root", "", "mysql");

// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}


$search1 = @$_GET['Valorm2'];
$search2 = @$_GET['M2'];

   $sql = "SELECT * FROM porteval, squarefeet WHERE Freguesia = '$search1' AND M2 = '$search2'";
if($result = mysqli_query($link, $sql)){
    if(mysqli_num_rows($result) > 0){
        echo "<table>";
            echo "<tr>";
                echo "<th>ADVISED VALUE </th>";
            echo "</tr>";
        while($row = mysqli_fetch_array($result)){
            echo "<tr>";
                echo "<td>" . $row['Id'] . "</td>";
                echo "<td>" . $row['Pais'] . "</td>";
                echo "<td>" . $row['Distrito'] . "</td>";
                echo "<td>" . $row['Freguesia'] . "</td>";
                echo "<td>" . $row['Valorm2'] . "</td>";
                echo "<td>" . $row['Valorm2'] * 100 . "</td>";
            echo "</tr>";
        }
        echo "</table>";
        // Free result set
        mysqli_free_result($result);
    } else{
        echo "No records matching your query were found.";
    }
} else{
    echo "ERROR: Could not able to execute $sql. " . mysqli_error($link);
}

// Close connection
mysqli_close($link);
?>
</body>

</html>
halfer
  • 19,824
  • 17
  • 99
  • 186
BWIS
  • 5
  • 4
  • 4
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Oct 31 '17 at 15:17
  • @AlexHowansky thanks, but comments only for reputation I dismiss. I'll deal with sql injection later. – BWIS Oct 31 '17 at 15:20
  • 4
    A) Comments don't earn reputation. B) You said you're a noob. I comment to help you avoid learning bad habits, and to lessen the possibility of future users from basing their own work off this code. C) "I'll fix it later" never happens. It's significantly less work to do it correctly the first time. D) Insulting people trying to help you will tend to yield poor results. – Alex Howansky Oct 31 '17 at 15:30
  • 1
    1- echo the `$_GET['Valorm2']` and `$_GET['M2']` to make sure they are loaded with the values you expect. 2- make sure you have the data you expect in your database (do the same SQL statement from any other client rather than the PHP, MySQL Workbench for example). and finally remind you with SQL injection can safe your whole system later. Check this for [how to switch to prepared statements](https://stackoverflow.com/questions/45031956/switching-to-prepared-statements/45034865#45034865) – Accountant م Oct 31 '17 at 15:31
  • thanks @Accountantم – BWIS Oct 31 '17 at 15:38
  • @AlexHowansky I'm sorry, but I get frustrated with so many people talking about sql injection on my questions but never really answearing them! It's not my first rodeo. – BWIS Oct 31 '17 at 15:41
  • 1
    @BWIS: helpful comments are normal here, and responding to say you "dismiss" them appears on first glance to be rude. This in turn may earn you downvotes or mod reports, so it is best to respond in kindness (or not at all). – halfer Oct 31 '17 at 15:45
  • 1
    @BWIS Comments on your questions are not only addressed to you, but to other users as well. Using code vulnerable to SQL injection is dangerous and other users should be warned not to use it. – Modus Tollens Oct 31 '17 at 15:47
  • @BWIS you are welcome – Accountant م Oct 31 '17 at 15:54
  • 1
    @halfer thank you for your contribution also – BWIS Oct 31 '17 at 15:54
  • 1
    @ModusTollens what a nice contribution. I surpassed any doubt I've had! You're awesome – BWIS Oct 31 '17 at 15:58

1 Answers1

0

Your search query is not right. If the tables are related then you have to use a join queries. If the tables are not related to each other but the result is, then use union query. Hope this will help.

Md Monjur Ul Hasan
  • 1,705
  • 1
  • 13
  • 36