Page 1 of 1

search database not working

Posted: Fri Aug 03, 2007 8:36 pm
by eeau1973
Hi folks ...

I have this problem when i try to retrieve information from a mysql database... First i aks to a user to input information that later will be displayed, ...

This is my code until now ...

First I ask to the user lo write text to find ...

Code: Select all

<html>
<body>
<form method = "POST" action = "search.php">
<strong>word to search:</strong>
<input type="text" name="find" size="20"><br><br>
<input type="submit" value="find">
</form>
</body>
</html>
Then this is the code for file search.php ...

Code: Select all

<html> 

<body> 

<?php 

//if (!isset($find))
//{ 
//echo "please input text to find"; 
//echo "<p>please input text to find</p> \n";
//echo "<p><a href=puttext.php>back</p> \n"; 
//echo "</html></body> \n"; 
//exit; 
//} 

$link = mysql_connect("localhost", "user" , "passwd"); 

mysql_select_db("mydatabase", $link); 

$sql = "SELECT * FROM table_name WHERE numguia LIKE '%$find%' "; 

$result = mysql_query($sql, $link); 

if ($row = mysql_fetch_array($result))
{ 
	echo "<table border = '1'> \n"; 
	echo "<tr> \n"; 
	mysql_field_seek($result,0); 
	while ($field = mysql_fetch_field($result)){ 
	echo "<td><b>$field->name</b></td> \n"; 
} 
echo "</tr> \n"; 
do 
{ 
	echo "<tr> \n"; 
	echo "<td>".$row["numguia"]."</td> \n"; 
	echo "<td>".$row["country"]."</td> \n"; 
	echo "<td>".$row["city"]."</td> \n"; 
	echo "<td>".$row["otherfield"]."</td> \n"; 
} 
while ($row = mysql_fetch_array($result)); 
echo "<p><a href=puttext.php>back</p> \n"; 
echo "</table> \n"; 
} else 
{ 
	echo "<p>¡no info where found!</p>\n"; 
	echo "<p><a href=puttext.php>back</p> \n"; 
} 
?> 
</body>
</html>

Whe i run the search.php script i get all the information that my databse contains ... But i just wanna retrieve the information related to numguia field ( that the user input )

Please some help will be nice !

thanks in advance ...

Posted: Sat Aug 04, 2007 12:01 am
by dude81

Code: Select all

<?php
$find = isset($_POST['find'])?$_POST['find']:'';
if(isset($find)){

$link = mysql_connect("localhost", "user" , "passwd");

mysql_select_db("mydatabase", $link);

$sql = "SELECT * FROM table_name WHERE numguia LIKE '%$find%' ";

$result = mysql_query($sql, $link);

if ($row = mysql_fetch_array($result))
{
        echo "<table border = '1'> \n";
        echo "<tr> \n";
        mysql_field_seek($result,0);
        while ($field = mysql_fetch_field($result)){
        echo "<td><b>$field->name</b></td> \n";
}
echo "</tr> \n";
do
{
        echo "<tr> \n";
        echo "<td>".$row["numguia"]."</td> \n";
        echo "<td>".$row["country"]."</td> \n";
        echo "<td>".$row["city"]."</td> \n";
        echo "<td>".$row["otherfield"]."</td> \n";
}
while ($row = mysql_fetch_array($result));
echo "<p><a href=puttext.php>back</p> \n";
echo "</table> \n";
} else
{
        echo "<p>¡no info where found!</p>\n";
        echo "<p><a href=puttext.php>back</p> \n";
}
}
?>
</body>
</html>

Re: search database not working

Posted: Sat Aug 04, 2007 7:41 am
by superdezign
eeau1973 wrote:

Code: Select all

$sql = "SELECT * FROM table_name WHERE numguia LIKE '%$find%' ";
Your code, firstly, requires that register_globals is turned on, which is a no-no. :P
Secondly, you don't filter the posted variable at all (mysql_real_escape_string() may help), leaving yourself open to SQL injection.
Thirdly, it's very possible that $find is not set (especially if register_globals is off, which it should be) and your WHERE clause looks like this:

Code: Select all

WHERE `numguia` LIKE '%%';
That would be the reason why you are getting all of the database entries.


The proper way to access the posted variable 'find' is by using $_POST['find'].

Code: Select all

if(!isset($_POST['find']))
{
    // No search query given
}
else
{
    mysql_query(".... WHERE `numguia` LIKE '%" . mysql_real_escape_string($_POST['find']) . "%';");
    // Handle the rest
}