-2

I have a form that submits 2 values to the post target:

$fname=$_POST["fname"];
$lname=$_POST["lname"];

On the target page, I need to search the specified table for matches that are like $fname OR $lname. I'm kind of struggling with the concat part of it.

#    $user_info="SELECT * from player_data WHERE firstname like %'$fname'% or lastname like %'$lname'%";
     $user_info="SELECT * from player_data where '$fname' like concat(firstname, '%') or '$lname' like concat(lastname, '%')";
     $user_data=mysqli_query($con, $user_info);
     while ($row = mysqli_fetch_array($user_data,MYSQLI_BOTH))
     {
         $getfname=$row['firstname'];
         $getlname=$row['lastname'];
         echo "$getfname $getlname<br>";
     }

that first line that's commented, was something I was trying, figured should try to use concat instead.

halfer
  • 19,824
  • 17
  • 99
  • 186
Ken Gordon
  • 35
  • 1
  • 7
  • 3
    Please read about [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). Instead of building queries with string concatenation, use [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). See [**this page**](https://phptherightway.com/#databases) and [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good examples. – Alex Howansky Jan 10 '19 at 22:21
  • You swapped the column name with your value. – Dharman Jan 10 '19 at 22:24
  • thanks. Once I get all the functionality I'm looking for, I'll dig in to that more. – Ken Gordon Jan 10 '19 at 22:25
  • Is your intent for the WHERE clause to match "Pat" to rows having "Patrick" or "Paticia" or "Happat"? – Sloan Thrasher Jan 10 '19 at 22:44
  • yes @SloanThrasher "Pat" could return Patrick or Heppat for the first name OR "son" could return Johnson or Sonny, from the last name – Ken Gordon Jan 10 '19 at 22:48

1 Answers1

1

I actually figured it out... %$var% works fine, but if one of the 2 were blank it was returning everything in the table. I appreciate the feedback and will definitely look into preventing sql injection.

Ken Gordon
  • 35
  • 1
  • 7