Selecting data from mysql database from a search form

Question

I am new at this and still learning. I have a search page and want to use the input to search a mysql table and display results in a form to update the record back into the table.

Every time I try and run it I get a PHP Notice: Undefined variable: password in /var/www/html/update.php on line 106, referer: http://172.20.10.161/search.php

in the error_log.

All help would be most appreciated.

I have google and tried various methods to get this right, i feel there is some little thing I am missing here.

Below is the code from my search.php page

<?php

session_start();


if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) {
    header("location: login.php");
    exit;
}

?>

<form action="update.php" method="post">
   <div class="form-group">
       <label>Name</label>
       <input type="text" name="name" class="form-control" value="">
   </div>
   <div class="form-group">
       <input type="submit" class="btn btn-primary" value="Search">
   </div>
</form>

Then on my page that should show the results if have the following.

update.php

top of page

<?php
session_start();

if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) {
   header("location: login.php");
   exit;
}
?>

Code in page to run query

<?php

require_once "include/dbconf.php";

if(isset($_POST['Search']))
{
    $name=$_POST['name'];

    $sql = "SELECT (name, surname, email, username, password) from net_users WHERE name LIKE '%".$name."%'";
    $result  = mysqli_query($link, $sql) or die ('Something went wrong');

    while($row=mysqli_fetch_array($result))
    {
         $username  =$row['username'];
         $password  =$row['password'];
         $name      =$row['name'];
         $surname   =$row['surname'];
         $email     =$row['email'];
    }
}

mysqli_close($link);
?>

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
    <div class="form-group">
         <label>Name</label>
         <input type="text" name="name" class="form-control" value="<?php echo $name; ?>">
    </div>
    <div class="form-group">
         <label>Surname</label>
         <input type="text" name="surname" class="form-control" value="<?php echo $surname; ?>">
    </div>
    <div class="form-group">
         <label>Email</label>
         <input type="email" name="email" class="form-control" value="<?php echo $email; ?>">
    </div>
    <div class="form-group">
         <label>Username</label>
         <input type="text" name="username" class="form-control" value="<?php echo $username; ?>">
    </div>
    <div class="form-group">
         <label>Password</label>
         <input type="text" name="password" class="form-control" value="<?php echo $password; ?>">
    /div>
    <div class="form-group">
        <input type="update" class="btn btn-primary" value="update">
    </div>
</form>

I am hoping to pull the desired input on search $name to search the mysql db and return the results in the form on the update page to update the information back into the database.

The error - `PHP Notice: Undefined variable` is a warning to indicate you are attempting to output (echo) a variable which has not been defined. This usually happens in cases where conditional branches are not triggered, eg, you do have any matching records in the database, and as such, will not have a value to display. Regardless, this notice is not your problem, can you provide a short description of what it is you are excepting, vs what you are getting? — Kami, Jun 11 '19 at 09:18
@CID the errors in the error files reference onall the variables. — Allan, Jun 11 '19 at 09:48
@Kami I have the data in the DB. for the search I am testing with. I am been redirected to the update.php page with the form but nothing is populated. — Allan, Jun 11 '19 at 09:50

Kami · Answer 1 · 2019-06-11T15:07:37.750

I would recommend a couple of changes to update.php.

<?php
session_start();

if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) {
   // Can everyone logged in update the system.  If not, filter it as required
   header("location: login.php");
   exit;
}
?>

Given the following connection file dbconf.php with a procedual MySQLi - https://www.php.net/manual/en/mysqli.quickstart.dual-interface.php

<?php 
/* 
Database credentials.
Assuming you are running MySQL server with default setting (user 'root' with no password)
*/ 
define('DB_SERVER', 'localhost'); 
define('DB_USERNAME', 'xxxxxxxx'); 
define('DB_PASSWORD', '**********'); 
define('DB_NAME', 'users');

/* Attempt to connect to MySQL database */ 
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME); 
// Check connection 
if($link === false)
{
    die("ERROR: Could not connect. " . mysqli_connect_error());
} 
?>

The search query will need to account for SQL Injection - How can I prevent SQL injection in PHP?.

<?php

require_once "include/dbconf.php";

// placeholder for the returned data
$data = array();

// Verify the search query is present
// Or handle empty 
if(isset($_POST['name']))
{
    // SQL injection - https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php
    $name=$_POST['name'];

    // TODO: Verify that you need the password here
    // Generally passwords are not to be stored as plain text
    $sql = "SELECT (id, name, surname, email, username, password) from net_users WHERE name LIKE '?'";

    $stmt = mysqli_prepare($link, $sql);
    mysqli_stmt_bind_param($stmt, 's', $name);

    // Execute the query
    mysqli_stmt_execute($stmt);
    $result = mysqli_stmt_get_result($stmt);

    while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
    {
        // Copy the result to a local array
        // Each entry in $data will be an associative array of values
        $data[] = $row;
    }
} else {
    // TODO : Handle this more gracefully
    die('Search query missing');
}

mysqli_close($link);

if (empty($data))
{
    // TODO: No records matched, handle gracefully
    die('No records matched');
}
?>

Once you have the data, output as needed. Note that I have also selected id column - As all other fields are updateable, it would not be possible to identify the record if all the fields are changed. To work around this, you need a value that will always identify the record being updated. I have chosen the id column, but any other unique - non-updateable field would do.

<?php
foreach($data as $record)
{
?>
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
    <input type="hidden" name="id" value="<?php echo $record['id']; ?>" />
    <div class="form-group">
         <label>Name</label>
         <input type="text" name="name" class="form-control" value="<?php echo $record['name']; ?>">
    </div>
    <div class="form-group">
         <label>Surname</label>
         <input type="text" name="surname" class="form-control" value="<?php echo $record['surname']; ?>">
    </div>
    <div class="form-group">
         <label>Email</label>
         <input type="email" name="email" class="form-control" value="<?php echo $record['email']; ?>">
    </div>
    <div class="form-group">
         <label>Username</label>
         <input type="text" name="username" class="form-control" value="<?php echo $record['username']; ?>">
    </div>
    <div class="form-group">
         <label>Password</label>
         <input type="text" name="password" class="form-control" value="<?php echo $record['password']; ?>">
    /div>
    <div class="form-group">
        <input type="update" class="btn btn-primary" value="update">
    </div>
</form>
<?php
}
?>

Hi Kami thank you for assisting me here. I have made the changes as indicated by your answer. when I test I am getting a blank page now on update.php and in the error.log i have the following error. PHP Fatal error: Uncaught Error: Call to a member function bind_param() on boolean in update.php:81\nStack trace:\n#0 {main}\n thrown in /update.php on line 81, referer: http://.../search.php. Which refers to the following line in update.php $stmt = $link->prepare($sql); $stmt->bind_param('s', $name); < ---- line 81 $stmt->execute(); — Allan, Jun 11 '19 at 12:05
@AllanvanStaden I am not sure if `$link` is a database connection or not. See - https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php on how to create a MySQLi connection. For the above code to work, `$link` variable would need to be an active and open connection to the database. — Kami, Jun 11 '19 at 13:40
@AllanvanStaden The error indicates that the `$stmt` is a boolean, ie, true/false rather than an object. Which makes me think that `$link` is not the connection I am expecting. — Kami, Jun 11 '19 at 13:41
my dbconfig.php which i include is the following The $link works with the insert into the db. — Allan, Jun 11 '19 at 14:12
Apologies if I am making newbie errors here really am trying to get my head around this. — Allan, Jun 11 '19 at 14:15
@Allan I have updated the code to reflect your procedural usage of `MySQLi`. The purpose of the code change is to use prepared statements (https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) to perform the lookup and a loop around the results output to emit all matching records. — Kami, Jun 11 '19 at 14:35
I thank you profusely for your patience. I have updated the code as suggested. I am getting the follow error when I run it. On update.php "No records matched" for a valid entry and in the log file. ---- PHP Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, null given in /update.php on line 88, referer: http://../search.php --- Would it be possible that the variable $name is not getting pulled though from the search.php page? — Allan, Jun 11 '19 at 14:47
@Allan I do not have a PHP dev environment to test the code on at the moment. See the links above for an overview of what the code is intending to do. You need to create a prepared statement and utilise it to retrieve the data. — Kami, Jun 11 '19 at 15:13

Selecting data from mysql database from a search form

1 Answers1