-4

So I'm new to SQL, PHP and HTML. I'm trying to create a search system for my database that contains a table for foods and their prices. I've searched everywhere for people who have the same problem as me but none of the solutions seem to help me.

I've searched far and wide over all the forums I could find, loads of tutorials on YouTube yet to no avail.

Main PHP code:

<!doctype html>
<html>
<head>
<meta charset = "utf-8">
<title>Lists of foods and prices! Input yours here!</title>
</head>

<body>
<h1>Insert your fav food!</h1>

<table>
<form action = "" method = "post">
<tr>
<td>Food: </td><td><input type="text" name="Food"></td></tr>
<tr>
<td>Price: </td><td><input type="integer" name="Price"></td></tr>
<tr>
<td>Supermarket: </td><td><input type="text" name="Supermarket"></td></tr>
</tr>
<tr>
<td><input type="submit" name = "submit"></td></tr>

</form>
</table>

<table>
<form action = "" method = "post">
<tr>
<td>Search: </td><td><input type="text" name="Search"></td></tr>
<tr>
<td><input type="submit" name = "Search"></td></tr>
</form>
</table>

<?php
if(isset($_POST["submit"])){
include 'dbconfig.php';
include 'New Text Document.js';
$Food = $_POST['Food'];
$Price = $_POST['Price'];
$Supermarket = $_POST['Supermarket'];

mysqli_query($conn,"INSERT INTO costsoffood VALUES('$Food', '$Price', '$Supermarket')");

}
if(isset($_POST["Search"])){
    include 'dbconfig.php';
    $search = $_POST["Search"];
    $query="SELECT * FROM costsoffood WHERE Food LIKE %$search%";
    $result=mysqli_query($conn,"SELECT * FROM costsoffood WHERE Food LIKE '%$search%'");
    if(mysqli_num_rows($result)>0){
        while($row = mysqli_fetch_array($result)){
            echo "<tr><td>". $row['food']."</td><td>". $row['price']."</td><td>".$row['supermarket']."</td></tr>";
        }
    echo "</table>";

    }
    else{
        echo "no results";
    }


}
?>

</body>
</html>

dbconfig.php

<?php
$servername = "localhost";
$username = "root";
$password = "";
$dbname = "dataone";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
  if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

?>
Will O'Shaughnesssy
  • 26
  • 6
  • 1
    what is the problem? you do not say here what your problem actually **is** – ezra Oct 26 '19 at 14:09
  • 2
    Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. – John Conde Oct 26 '19 at 14:10
  • You're missing quotes around your string – John Conde Oct 26 '19 at 14:11
  • You need to enable error reporting. [How to get the error message in MySQLi?](https://stackoverflow.com/a/22662582/1839439) – Dharman Oct 26 '19 at 14:30

1 Answers1

0

Your second (search) form has two input fields with name="Search": one is your text input field, the other is your "submit search" button.

Change <input type="text" name="Search"> to <input type="text" name="SearchField"> and $search = $_POST["Search"]; to $search = $_POST["SearchField"]; and you should get results (given that the rest of your code works)

Edit: you're also not using $query in your mysqli_query(), that line could be removed to avoid confusion.

brombeer
  • 8,716
  • 5
  • 21
  • 27