PHP and Mysql query does not work as expected

Question

I am trying to make a web application and I would like to search in a mysql database with a php script. But my code does not work as expected. Here is my code:

$search=$_POST['search'];
$sql_cautare="SELECT * FROM carti WHERE titlu = "$search"";

I have search form..and I want to select those values that are entered in the search form. Can anyone help me?

You should use prepared statements instead of injecting user input into queries https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Joni, Mar 17 '19 at 17:26
There must be other errors too because it still does not work. — Szilagyi Andras, Mar 17 '19 at 17:27
Can you explain what **exactly** is not working? Is there any error message given? — Nico Haase, Mar 17 '19 at 18:26
You cannot use unescaped double-quotes in a double-quoted string. And you should not execute user input as code. — Paul Spiegel, Mar 18 '19 at 01:36

score 0 · Answer 1 · answered Mar 17 '19 at 18:35

0

Try this one

$sql_cautare = $conn->prepare("SELECT * FROM carti WHERE titlu = ?");
$sql_cautare->bind_param('s', $search);
$sql_cautare->execute();

answered Mar 17 '19 at 18:35

score -1 · Answer 2 · answered Mar 17 '19 at 17:40

-1

The following should work:

 $sql_cautare = "SELECT * FROM carti WHERE titlu = '$search'";

But you should definitly do some input sanitization before using it in SQL!

answered Mar 17 '19 at 17:40

Reto

1,305
1
18
32

1

No, nowadays, one should use prepared statements – Nico Haase Mar 17 '19 at 18:25

PHP and Mysql query does not work as expected

2 Answers2