-1

I have a simple search form and a mysql database includes only 1 table and 1 column. This will be my search.html Nothing but a search form only.

   <form action="search.php" method="post">  
 <center> SEARCH:<input type="text" name="search" placeholder="SEARCH"><br></center>  
 <center> <input type="submit" class="btn-success btn"></center>
</form>

My database is so simple and has only 1 input. My table name is "kodlar" and my only column name is "kodveritabani"

This is my search.php so far. The results can even popup on a browser window. When hit search, lookup the database, if finds the same string echo "This is a valid code" if cannot find echo "This is not a valid code"

<?php

$link = mysqli_connect("localhost", "dbinfo", "dbinfo", "dbinfo");
 
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}
 
$kodveritabani = mysqli_real_escape_string($link, $_REQUEST['kodveritabani']);

if(isset($_POST['search'])) {
$result =  mysqli_query($con,"SELECT * FROM kodlar WHERE kodveritabani='".mysqli_real_escape_string($con,$_POST['search'])."'");
If(mysqli_num_rows($result)!=0) {
$row = mysqli_fetch_array($result);
echo "This is a valid code.";
}
Else {
echo "This is not a valid code.";
}
} 

// Close connection
mysqli_close($link);
?>

What should I do to achieve my purpose?

kkakaossski
  • 45
  • 6
  • Your code is potentially vulnerable to SQL injection despite the `mysqli_real_escape_string` - use `prepared statements` when using user supplied data. Where is the search page - is that what the question relates to? – Professor Abronsius Jul 03 '20 at 14:18
  • You need to stop manually checking for errors. Please read: [Should we ever check for mysqli_connect() errors manually?](https://stackoverflow.com/q/58808332/1839439) and [Should I manually check for errors when calling “mysqli_stmt_prepare”?](https://stackoverflow.com/q/62216426/1839439) – Dharman Jul 03 '20 at 14:18
  • Consider search.html page with a single search form and when user puts the coupon code and hit search, there could be appear a browser popup with 2 options "your code is valid" or "your code is not valid" upon the search form lookups the database. Or the result can appear below the search bar. – kkakaossski Jul 03 '20 at 14:21
  • ok, that seems fairly straightforward. Can you add the code that you have tried so far to search for the coupon and explain what is wrong? – Professor Abronsius Jul 03 '20 at 14:51
  • thank you. can you please check my topic again? I edited it all to be more clear with some codes. – kkakaossski Jul 03 '20 at 15:00

1 Answers1

0

You might try along these lines using a prepared statement - it's not tested but I hope it helps.

<?php
    
    error_reporting( E_ALL );
    
    if( isset( $_POST['search'], $_POST['kodveritabani'] ) ) {
    
        mysqli_report( MYSQLI_REPORT_STRICT );
        
        $link=new mysqli("localhost", "dbinfo", "dbinfo", "dbinfo");
        /*
            some default values for important variables
        */
        $kodveritabani=false;
        $message='This is not a valid code.';
        
        /*
            create the basic sql statement with a placeholder
            to be used in the `prepared statement`
        */
        $sql='select `kodveritabani` from `kodlar` where `kodveritabani`=?';
        /*
            create the `prepared statement` and 
            bind the placeholder to the input variable.
        */
        $stmt=$link->prepare( $sql );
        $stmt->bind_param( 's', $_POST['kodveritabani'] );
        
        /*
            execute the query and store the result
            using native methods so we can access `num_rows`
            
        */
        $stmt->execute();
        $stmt->store_results();
        $rows=$stmt->num_rows;
        $stmt->bind_result( $kodveritabani );
        /*
            Fetch the result and cleanup
        */
        $stmt->fetch();
        $stmt->close();
        $link->close();
        
        /*
            Change the output message if the coupon is valid
        */
        if( $kodveritabani && $rows > 0 )$message='This is a valid code.';
        
        /*
            send the response
        */
        header('Content-Type: text/html');
        exit( $message );
    }
?>

Based loosely upon a rudimentary HTML form

<form method='post'>
    <label>Kodveritabani: <input type='text' name='kodveritabani' /></label>
    <input type='button' name='check' value='SEARCH' />
    <div></div>
</form>
Professor Abronsius
  • 33,063
  • 5
  • 32
  • 46