PHP - Search with one input on database

Question

I have 3 inputs. 'titlu' , 'etaj' and 'descriere' and when i want for exemple to search only on 'titlu' is not showing nothing but when i type in all 3 inputs its showing. Any suggestion to work and with only one input but to work with 3 inputs too.

Code:

<?php
$con = mysqli_connect("localhost","rent","123");
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
mysqli_select_db($con, "rent") or die("ERROR");


if(isset($_REQUEST['submit'])){
    $titlu=$_POST['titlu'];
    $etaj=$_POST['etaj'];
 $descriere=$_POST['descriere'];
    $sql=" SELECT * FROM apartament WHERE titlu like '%".$titlu."%' OR etaj like '%".$etaj."%' OR descriere like '%".$descriere."%'";
    $q=mysqli_query($con, $sql);
}
else{
    $sql="SELECT * FROM apartament";
    $q=mysqli_query($con, $sql);
}
?>
<form method="post">
    <table width="200" border="1">
  <tr>
    <td>Titlu</td>
    <td><input type="text" name="titlu" value="<?php echo $titlu;?>" /></td>
    <td>Etaj</td>
    <td><input type="text" name="etaj" value="<?php echo $etaj;?>" /></td>
     <td><input type="text" name="descriere" value="<?php echo $descriere;?>" /></td>
    <td><input type="submit" name="submit" value=" Find " /></td>
  </tr>
</table>
</form>
<table>
    <tr>
        <td>Titlu</td>
        <td>Etaj</td>
    </tr>
    <?php
    while($res=mysqli_fetch_array($q)){
    ?>
    <tr>
        <td><?php echo $res['titlu'];?></td>
        <td><?php echo $res['etaj'];?></td>
  <td><?php echo $res['descriere'];?></td>
    </tr>
    <?php }?>
</table>

Here is a DBFiddle about my question

Your code is vulnerable to [SQL injection attacks](https://en.wikipedia.org/wiki/SQL_injection). You should use prepared statements with bound parameters, via either the [mysqli](https://secure.php.net/manual/en/mysqli.prepare.php) or [PDO](https://secure.php.net/manual/en/pdo.prepared-statements.php) driver. [This post](https://stackoverflow.com/q/60174/6634591) has some good examples. — Luca Kiebel, Jun 28 '18 at 19:54
@Alec Best practices — like input validation, prepared statements, testing, coding style, and so forth — are important. Many people say they "just want it to work" and claim they will "fix it later." Though they might even be sincere, experience shows it almost *never* happens. Don't be that person! Do it right the first time! — Sammitch, Jun 28 '18 at 20:16
Two things that will help you solve your problem. (1) Add `echo $sql` after you set the sql statement, so you can see the exact sql string that you are using. (2) Wrap your sql operations with try/catch, so you can see what errors are being returned, if any. Also, as @Luca suggested, the better, more reliable approach is to use bound parameters and it takes all of about an extra 1 minute to implement, so there really isn't any good argument for not doing it, once you've taken a couple minutes to learn how. — SeanW333, Jun 28 '18 at 20:27

mscdeveloper · Answer 1 · 2018-06-28T20:48:33.710

Maybe like tis:

    //......CUT......
 if(isset($_REQUEST['submit'])){
   $where_str='';
   if(isset($_POST['titlu']) AND $_POST['titlu']!=''){
      $where_str.="titlu like '%".$_POST['titlu']."%'";
   }
   if(isset($_POST['etaj']) AND $_POST['etaj']!=''){
      if($where_str!=""){$where_str.=" OR ";}
      $where_str.="etaj like '%".$_POST['etaj']."%'";
   }
   if(isset($_POST['descriere']) AND $_POST['descriere']!=''){
      if($where_str!=""){$where_str.=" OR ";}
      $where_str.="descriere like '%".$_POST['descriere']."%'";
   }

       $sql=" SELECT * FROM apartament WHERE ".$where_str;
       $q=mysqli_query($con, $sql);
 }
    //.......CUT.....

score 0 · Accepted Answer · edited Jun 20 '20 at 09:12

try this:

<?php

$con = mysqli_connect("localhost","rent","123");
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
mysqli_select_db($con, "rent") or die("ERROR");


    $titlu = ($_POST['titlu'] && $_POST['titlu'] != "") ? $_POST['titlu'] : "";
    $etaj = ($_POST['etaj'] && $_POST['etaj'] != "") ? $_POST['etaj'] : "";
    $descriere = ($_POST['descriere'] && $_POST['descriere'] != "") ? $_POST['descriere'] : "";
    $sql = " SELECT * FROM apartament";
    $sql .= ($titlu != "" or $etaj != "" or $descriere != "") ? " WHERE " : " ";
    $sql .= ($titlu != "") ? " titlu like '%".$titlu."%'" : "";
    $sql .= ($titlu != "" and $etaj != "") ? " OR " : "";
    $sql .= ($etaj != "") ? " etaj like '%".$etaj."%' " : "";
    $sql .= (($titlu != "" or $etaj != "") and $descriere != "") ? " OR " : "";
    $sql .= ($descriere != "") ? " descriere like '%".$descriere."%'" : "";
    $sql .= ";";
    $q=mysqli_query($con, $sql);
}


?>

PHP - Search with one input on database

2 Answers2

try this: