0

Hi I hope someone can help. This is my first attempt at using SQL and I'm finding a challenge, to say the least. What I am trying to do is to write multiple searches for a motorcycle website the customer would enter

  • make in box 1 model in box 2 product in box 3 year in bod 4

But I stuck trying to match multiple words in any order, customers have to type the exact phrase for it to find the product.

this is the code so far

Thanks for your help in advance

<?php
   include 'motorcyclefitmentdb.php';
    ?>
<center>
   <table id="search_box">
      <form method="post">
         <td><input name="Make" type="text" placeholder="Make....."     value="<?php echo isset($_POST['Model']) ? htmlspecialchars($_POST['Make'], ENT_QUOTES) : ''; ?>">
     </td>
     <td><input name="Model" type="text" placeholder="Model....." value="<?php echo isset($_POST['Model']) ? htmlspecialchars($_POST['Model'], ENT_QUOTES) : ''; ?>">
     </td>
         <td><input name="Item" type="text" placeholder="Item....."    value="<?php echo isset($_POST['Item']) ? htmlspecialchars($_POST['Item'],         ENT_QUOTES) : ''; ?>">
         </td>
         </td>
         <td><input name="Year" type="text" placeholder="Year....."     value="<?php echo isset($_POST['Year']) ? htmlspecialchars($_POST['Year'],      ENT_QUOTES) : ''; ?>"></td>
     <td><button type="submit" name="submit     search">Submit</button></td>
      </form>
   </table>
</center>
<br><br>
</div>
<center>
   <table class = "customer">
      <?php
         if(isset($_POST['submit-search'])){
         $Make = $_POST['Make'];
         $Model = $_POST['Model'];
         $Item = $_POST['Item'];
         $Year = $_POST['Year'];
     
     
         $sql = "SELECT * FROM `fitment` WHERE `Make` LIKE '%$Make%'
         AND `Model` LIKE '%$Model%'
         AND `Item` LIKE '%$Item%'
         AND `Year Search` LIKE '%$Year%'
         ";
     
     
         $stmt = $conn->prepare($sql=presql);
         $newsql = presql;
         $stmt->bindPram("presql", $newsql, PDO::PARAM_CHAR);
         $stmt->execute();
     
         }
         if ($stmt->num_rows > 0) {
            // output data of each row
            while($row = $stmt->fetch_assoc()) {
         echo
         "
     
         <tr>
     
         </tr><td>
     
     
         ".$row["Image"]."
         <br><br>
         ".$row["Item"]."
         <br><br>
         SKU: ".$row["SKU"]."
         <br>
         £ ".$row["Price"]."
         <br><br>
         ".$row["Buy"]."
     
         
         </td>
     
         <td>
         ".$row["Make"]." ".$row["Model"]." ".$row["Year"]."
         <br><br>
         ".$row["Engine"]."
         
     
         </td>
     
         </tr>
         ";
     
            }
         } else {
            echo "0 results";
         }
         $conn->close();
         ?>
   </table>
</center>
</div>
Bing Wan
  • 19
  • 3
  • 1
    **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Oct 03 '20 at 21:03
  • If you're using MySQL, have a look at [`FULLTEXT` searches](https://dev.mysql.com/doc/refman/8.0/en/fulltext-search.html). – GolezTrol Oct 03 '20 at 21:07
  • `$regex` < where's that variable set inside the big body of code? Do all of your POST arrays contain value? What you posted is unclear and has no error handling whatsoever. You also have a mix of GET and POST, why is that? – Funk Forty Niner Oct 03 '20 at 21:12
  • Your clause needs to match all criteria. Even if one fails, your entire code fails. – Funk Forty Niner Oct 03 '20 at 21:14
  • Hi have edited the code to add the parameterized prepared statements but now the search doesn't return anything cany anyone help, please? – Bing Wan Oct 04 '20 at 13:18

0 Answers0