0

To clarify title, here's my code. It's not working--I'm sure it's wrong. But I don't know if I'm close or far away from the answer. I have an "Any" option that I want to reveal everything in my database as opposed to the selected option which would only reveal specific rows. I'm not sure how to display the former. Thanks!

   $Interest = $_GET['interestId'];



 $sql = "SELECT * from User WHERE (Interest1 = '$Interest' OR Interest2 = '$Interest' OR Interest3 = '$Interest' OR $Interest = 'Any Interest');";

   $result = mysqli_query($link, $sql);

   $resultCheck = mysqli_num_rows($result);

    if ($resultCheck > 0) {
        while ($row = mysqli_fetch_assoc($result)) {
            echo "<p>";
            echo Name . ": ";
            echo $row['Fname'] . " ";
            echo $row['Lname'] . "<br><br>";
            echo Interests . ": ";
            echo $row['Interest1'] . ", ";
            echo $row['Interest2'] . ", ";
            echo $row['Interest3']  . "<br><br>";
            echo Website . ": ";
            echo $row['Website']  . "<br><br>";
            echo Personal_Statement . ": <br><br>";
            echo $row['PersonalStatement'] . "<br><br>";
            echo Contact . ": ";
            echo $row['Phone']  . "<br>";
            echo $row['Email'];
            echo "</p>";
        }
    } else {
        echo "<h2>Drat!</h2> There's currently no one with the interest of $Interest!";
    }

Now it doesn't return anything for any selection.

Steven Guerrero
  • 29
  • 7

3 Answers3

0

So if $Interest is "Any" then there should be no filter at all? You can put that logic in the query. For example, consider something like this:

SELECT *
FROM User
WHERE
  (Interest1 = '$Interest' OR Interest2 = '$Interest' OR Interest3 = '$Interest')
  OR '$Interest' = 'Any'

Under this logic that last OR will match every record if the variable has the string "Any". So you're basically saying "if the record matches the input, OR if the input is Any".

Also, and this is important, your code is wide open to SQL injection. What that means is that you blindly execute any code your users send you. This answer demonstrates the logic of a solution, but there is more you need to do. Start by learning what SQL injection is here, and some quick information about how to meaningfully prevent it here.

David
  • 208,112
  • 36
  • 198
  • 279
  • Thanks for the quick response, David! To further clarify: My "any" value is named "Any Interest" so I would put this as '$Interest' = 'Any Interest'? The $result and check, etc, in the beginning of the code is also for the query at the bottom. I assume nothing needs to be changed here, yes? – Steven Guerrero May 11 '18 at 11:26
  • @StevenGuerrero: Correct, you'd put whatever hard-coded string you need. As for the rest of your comment, assuming I understand what you mean then that seems like a reasonable assumption as well. – David May 11 '18 at 11:30
  • I've implemented your suggestion, and it doesn't seem to work. I'll edit my original code to show. – Steven Guerrero May 11 '18 at 11:34
  • @StevenGuerrero: You forgot the quotes around your last `$Interest`, which is undoubtedly resulting in a syntax error from SQL. – David May 11 '18 at 11:42
  • That was it! Thank you! – Steven Guerrero May 11 '18 at 11:47
0

I suppose your form/ajax is this:

<input id="anyInterest" name="nome" type="text" />

In php you can do:

$any = $_GET['anyInterest'];
$sql = "SELECT * FROM user WHERE Interest = " +$any "OR Interest = 'Any Interest'";
$result = mysqli_query($link, $sql);
$resultCheck = mysqli_num_rows($result);

if ($resultCheck > 0) {
   //do something
}
else {
    echo "<h2>Drat!</h2> There's currently no one with the interest of $Interest!";
}

Best choice for security:

$any = $this->input->get('anyInterest');
$sql = "SELECT * FROM user WHERE Interest = " +$any "OR Interest = 'Any Interest'";
$result = mysqli_query($link, $sql);
$resultCheck = mysqli_num_rows($result);

if ($resultCheck > 0) {
   //do something   
}
else {
    echo "<h2>Drat!</h2> There's currently no one with the interest of $Interest!";
}

If this is not the right answer, could you explain the process better, your idea?

Edi
  • 615
  • 5
  • 15
0

the question that you have written is not clarifying us but the went i through you code and perceived u want to fetch the data from database in four situation 1. for any interest 2. interest1 3. interest2 4. interest3

to achieve desired result u would have to make some change to you submission form as well as in php code. here in am going to write both the code for html as well as php hope it would be helpful to you

<form action="action.php" method="GET">
<select type="text" name="interestID"> --select interest type-- 
<option value="AnyInterest">Any Interest</option>
<option value="interest1">interest1</option>
<option value="interest2">interest2</option>
<option value="interest3">interest3</option>
</select>
<input type="submit" name="submit" value="Submit" />
</form>

// php code 

       <?php
        if(isset($_GET['submit'])){
        $interestId = $_GET['interestID'];
        // connect with database query 
        switch($interestId){
        case "AnyInterest":
        $data = mysql_query("SELECT * FROM user") or mysql_error();
        break;
        case "interest1":
        case "interest2":
        case "interest3":
$data = mysql_query("SELECT * FROM user WHERE interestId = '$interestId '") or mysql_error();
        break;
        }

$count = mysql_num_rows($data);
if($count > 0){
while ($rows = mysql_fetch_assoc($data)){
// write code here to display the content on webpage
}

        }else{
        header(Location: action.php);
        }

        ?>
suraj kumar
  • 335
  • 1
  • 5