0

This is my first contribution here:

So I am using PHP and MySQLi. I have a search bar and it works great, but I want to entries to disappear when I clear the search.

Using the search bar is changing the URL:

without search: http://localhost:52694/index.php

with search: http://localhost:52694/index.php?search=test

If I clear my search bar, it is still the same URL (http://localhost:52694/index.php?search=test) and I cant click go because it tells me that the box can't be empty to start search.

I hope everything is clear and you understand my issue.

This is my search in php code:

<?php 

    if(isset($_GET['search'])){
        $filtervalues = $_GET['search'];
        $query = "SELECT * FROM table WHERE CONCAT( value, name, zla ) LIKE '%$filtervalues%' ";
        $query_run = mysqli_query($con, $query);

        if(mysqli_num_rows($query_run) > 0) {
            foreach($query_run as $items) {
?>
                        <tr>
                            <td><?= $items['value']; ?></td>
                            <td><?= $items['name']; ?></td>
                            <td><?= $items['zla']; ?></td>
                            <td>
                                <a class='btn btn-danger btn-sm' href='/delete.php?id=<?php echo $items['id']; ?>'>Del</a>
                            </td>
                        </tr>
<?php
            }
        } else {
?>
                        <tr>
                            <td colspan="4">No Record Found</td>
                        </tr>
<?php
        }
    }
?>
Professor Abronsius
  • 33,063
  • 5
  • 32
  • 46
Mic
  • 1
  • add a "reset" button then, which redirects the user back to the URL which doesn't have the search parameter in it – ADyson Aug 31 '22 at 12:22
  • **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Aug 31 '22 at 12:23
  • https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. – ADyson Aug 31 '22 at 12:23
  • In this particular case since you're using LIKE, see also this specific guide to understand the correct usage: https://phpdelusions.net/mysqli_examples/like – ADyson Aug 31 '22 at 12:23
  • thanks, i know that i am open to sql Injection. The project is just for me on localhost so thats fine to me – Mic Aug 31 '22 at 12:25
  • i will try a reset button thats a good idea! – Mic Aug 31 '22 at 12:26
  • Do you think i should use = instead of LIKE? @ADyson – Mic Aug 31 '22 at 12:26
  • That depends on how you want the search to work - those two operators can produce different results, and only LIKE can make use of the % wildcards. My suggestion wasn't to change from LIKE to =, it was to secure your code properly by using prepared statements and parameters. – ADyson Aug 31 '22 at 12:29
  • `The project is just for me on localhost so thats fine to me`...ok but 1) you should get into good habits learning to do things the right way, so that when you come to do an application for other users you don't have to re-learn things, and 2) Your current code is so basic it would break if you tried to search for a term with something like an `'` in it! Fortunately, using prepared statements and parameters also fixes that issue at the same time. So really there's pretty much no reason _not_ to use them. – ADyson Aug 31 '22 at 12:32
  • Out of interest why have you elected to run your webserver on such a high port number rather than the default 80/443? – Professor Abronsius Aug 31 '22 at 12:33
  • @ProfessorAbronsius my other ports are already in use ;) – Mic Aug 31 '22 at 12:40
  • @ADyson why would i break using ' in the search ;) – Mic Aug 31 '22 at 12:41
  • Simple: Your code says `SELECT * FROM table WHERE CONCAT( value, name, zla ) LIKE '%$filtervalues%'`. If you put (for example) `don't` as the search term, then your query will be `SELECT * FROM table WHERE CONCAT( value, name, zla ) LIKE '%$don't%'`. Obviously, SQL will think the search string ends at the `n`, because apostrophes are used in SQL to denote the end of a string literal. And then the `t%'` which comes after it just looks like random gibberish as far as SQL is concerned, so it will cause a syntax error. – ADyson Aug 31 '22 at 12:43
  • The single quote character is already surrounding the supplied variable for the `LIKE` clause. Yoiur SQL mihgt end up like `WHERE CONCAT( value, name, zla ) LIKE '%geronimo's hairpiece was grey%'` noting the extra single quote ... – Professor Abronsius Aug 31 '22 at 12:43
  • Parameters solve this problem because you just replace the whole string with a placeholder (see the examples in the link) and don't need to bother with problems of apostrophes at all. – ADyson Aug 31 '22 at 12:44
  • @ADyson i have implemented a reset button, thanks! – Mic Aug 31 '22 at 12:47
  • @ADyson thanks for the hint. I missed that ´apostrophes are used in SQL to denote` .Would i be able to search for 10.10.10? – Mic Aug 31 '22 at 12:48
  • i will change to parameter thanks – Mic Aug 31 '22 at 12:49
  • `Would i be able to search for 10.10.10`...why don't you try it and see? But yes probably, that doesn't involve a `'`. However you should still change to parameters for increased reliability and security. Thanks. – ADyson Aug 31 '22 at 12:57
  • @ADyson do have an idea how i can log UPDATES from the table with timestamp in the database. so if i change something in webapp it is an update sql. How can i save a timestamp with the change ;) – Mic Aug 31 '22 at 15:32
  • This sounds like a separate issue which ought to be in a new question with a more detailed explanation and some relevant code and data present, along with the results of your attempts so far to implement it. That way we get all the info we need, and also everyone can contribute, not just me – ADyson Aug 31 '22 at 15:44

1 Answers1

0

From

I cant click go because it tells me that the box can't be empty to start search.

I assume that in your HTML you have the required attribute present in the input field. Here's an example using required :

<form action="index.php" method="GET">
    Search for : <input name="search" required/>
    <input type="submit" value="send"/>
</form>
<?php
if(isset($_GET["search"]))
    echo $_GET["search"];
else 
    echo "nothing to search for";

using example like this: if your search field is empty, a little box will pop telling you to fill the field.

So please give brief view of your html search bar code , or check if required is present, if so .. delete it, and use it only for the fields that must be filled like in login or ...

AK.Aissat
  • 94
  • 3
  • That explains the issue (speculatively) but it doesn't suggest any kind of solution – ADyson Aug 31 '22 at 13:01
  • @ADyson edited the answer, and it's just if "go" not working it must be an HTML issue or javascript if possible so more details will be helpful – AK.Aissat Sep 01 '22 at 18:42