-1

I am trying to create a PHP search that looks through my table (users) and finds the user that matches the name they searched for and displays it on the screen. But the program won't display the user I searched up, and I don't know why. The variables all check out, and I didn't misspell anything in the code or table. My ifelse statement tells me that there is no query result, even though the user in the table and the user I searched are identical. I am using PHPMyAdmin to manage the tables and see changes (if there are any) to the table. The result I wanted was for the program to display the user and email on the page. I can't find a solution, so if you can please tell me! addnone.php

<?php
include_once 'includes/db_connect.php';
?>
<!DOCTYPE html>
<html>
<head>
<title>SCIENCE FAIR</title>
<link rel="stylesheet" href="style.css">
    <section class="container grey-text">
    <form class="white" action="addnone.php" method="POST">
    <tr>
        <label>First Name:</label>
        <td><input type="text" name="firstname" placeholder="First Name"></td></br>
    </tr>
        <div class="center">
            <td colspan="2"><input type="submit" name="submit" value="Search"></td>
        </div>
    </form>
<div class="box">
   <?php
    if (isset($_POST['submit'])) {
        $firstname = $_POST['firstname'];
        $sql = "SELECT * FROM users WHERE name = '%$firstname%'";
        $result = mysqli_query($conn, $sql);
        $queryResult = mysqli_num_rows($result);

        if ($queryResult > 0) {
            while ($row = mysqli_fetch_assoc($result)) {
                echo "<div>
                <p>".$row['name']."<p>
                <p>".$row['email']."<p>
                </div>";
            }
        } else {
            echo "No users with name $firstname!";
        }
    }
    ?>
</div>
</section>
</html>

db_connect.php

<?php

$dbServername = "localhost";
$dbUsername = "scifair";
$dbPassword = "password";
$dbName = "scifair";
// connect to database
$conn = mysqli_connect($dbServername, $dbUsername, $dbPassword, $dbName);

// check connection
if(!$conn){
    echo 'Connection error: ' . mysqli_connect_error();
}
?>
HP371
  • 860
  • 11
  • 24
stik
  • 15
  • 5
  • Can you show `addnone.php`? – Rob Moll Feb 11 '20 at 12:33
  • 2
    Change operator = for like: name like '%$firstname%'", be carefull with sql injection – sochas Feb 11 '20 at 12:35
  • 1
    This is an insecure query and could possibly expose you to SQL Injection (obligatory xkcd: https://xkcd.com/327/). Try and use prepared statements, especially for information that is out of your control – Luke Feb 11 '20 at 12:35
  • @Luke Yeah, I know. I created the code for the purpose of SQL injecting it! – stik Feb 11 '20 at 22:44
  • @sochas can you show some SQL injection code? – stik Feb 11 '20 at 23:55
  • I could type in your firstname input something like this: '; INSERT into users (user, password) VALUES ('sochas', 'hashedpassword'); -- (Close your current sentence, my sentence and comment final part of your sentence) Maybe the sentence does not work, but the idea is use the input to introduce a sql sentence. More info: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – sochas Feb 12 '20 at 07:12
  • Does this answer your question? [Correct way to use LIKE '%{$var}%' with prepared statements? \[mysqli\]](https://stackoverflow.com/questions/28385145/correct-way-to-use-like-var-with-prepared-statements-mysqli) – Dharman Feb 13 '20 at 12:40

1 Answers1

0

Use "LIKE" Operator

$sql = "SELECT * FROM users WHERE name LIKE '%$firstname%'";
Brindha Baskaran
  • 185
  • 2
  • 16