0

I had a page loading data from my mysql database working and showing the data correctly, but after attempting to implement a search function there is now an error attempting to load the page.

Below is my html code I added for the search bar (this is in the file PhysicianSearch.php):

<form action="PhysicianSearch.php" method="post">
  <input type="text" placeholder="Search.." name="ValueToSearch">
  <input type="submit" name="search" value="Filter"><br><br>
</form>

below is the php code I added for the search bar (this is in the file PhysicianSearch.php):

<?php
  if(isset($_POST['search'])) {
      $valueToSearch = $_POST['valueToSearch'];
      $query = "SELECT * FROM Physician WHERE CONCAT('physicianID', 'firstName', 'lastName', 'yearNum', 'yearNum', 'position', 'isAttending', 'highRiskTrained') LIKE '%" . $valueToSearch ."%'";
      $search_result = filterTable($query);

  } else {
    $query = "select * from Physician";
    $search_result = filterTable($query);

  }

  function filterTable($query) {
    $connect = mysqli_connect("localhost", "root", "password", "dbName");
    $filter_results = mysqli_query($connect, $query);
    return $filter_results

  }
?>
Drew
  • 1,341
  • 3
  • 13
  • 18
  • Your columns need to be surrounded with backticks, not single quotes. – aynber Jan 31 '18 at 17:39
  • @aynber That's incorrect: http://php.net/manual/en/function.mysqli-connect.php – General_Twyckenham Jan 31 '18 at 17:40
  • You also have a syntax error, missing the semi-colon after `return $filter_results` – aynber Jan 31 '18 at 17:40
  • @General_Twyckenham You're looking at the connect. I'm looking at the `SELECT * FROM` line. Words/phrases surrounded by single or double quotes are treated as strings, and not as column or table names. – aynber Jan 31 '18 at 17:40
  • @aynber either way: http://php.net/manual/en/mysqli.query.php. – General_Twyckenham Jan 31 '18 at 17:41
  • @General_Twyckenham Try http://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql – aynber Jan 31 '18 at 17:42
  • @aynber And that would matter at all if this were just SQL; however this is php using `mysqli` and furthermore, backticks are only necessary if your table name/column is using a mysql reserved word. The main issue with Drew's code is the case mismatch between the input `name` and the `$_POST` check, as I stated in my answer – General_Twyckenham Jan 31 '18 at 17:44
  • 1
    Okay, let's try this again. The OP has `CONCAT('physicianID', 'firstName', 'lastName', 'yearNum', 'yearNum', 'position', 'isAttending', 'highRiskTrained')`. If they want a string that looks like `physicianIDfirstNamelastNameyearNumyearNumpositionisAttendinghighRiskTrained`, then sure, it's fine. But if those words are actually column names, then they need to be surrounded by backticks, not single quotes. Or no quotes at all. – aynber Jan 31 '18 at 17:47
  • @aynber the missing semi-colon solved the 404 page issue, but inserting the ticks instead of the single quotes solved the issue of my search bar not functioning properly! – Drew Jan 31 '18 at 17:50
  • @aynber Fair enough - I misunderstood your initial point. Good catch – General_Twyckenham Jan 31 '18 at 18:01
  • 1
    @Drew Also please note that your code is subject to SQL injection as the value to search in unescaped. Maybe harmless in this case, but please get a strong habit to escape user input before passing it to queries like this. – ob-ivan Jan 31 '18 at 21:02
  • @ob-ivan I would worry about this, but it is for an admin site, so individuals would need proper credentials to gain access to this page in the first place – Drew Jan 31 '18 at 21:33

1 Answers1

1

Your input name is ValueToSearch where the PHP code is checking for valueToSearch

Make sure they have the same case

General_Twyckenham
  • 2,161
  • 2
  • 21
  • 36