I am trying to make a web application and I would like to search in a mysql database with a php script.
But my code does not work as expected.
Here is my code:
$search=$_POST['search'];
$sql_cautare="SELECT * FROM carti WHERE titlu = "$search"";
I have search form..and I want to select those values that are entered in the search form.
Can anyone help me?
Try this one
$sql_cautare = $conn->prepare("SELECT * FROM carti WHERE titlu = ?");
$sql_cautare->bind_param('s', $search);
$sql_cautare->execute();
The following should work:
$sql_cautare = "SELECT * FROM carti WHERE titlu = '$search'";
But you should definitly do some input sanitization before using it in SQL!
Related
I tried to make a search system which uses the LIKE operator to search results based on what the user typed. I'm using it with strings. The problem is that it doesn't show any result.
I hope this also helps people with the same confusion as me...
Code:
"SELECT * FROM table WHERE name LIKE ' . $input . ';";
input is a PHP variable from what the user typed.
EDIT: Don't worry about SQL injection, it's all offline.
for the proper use of like you should use wildchar eg :
SELECT * FROM table WHERE name LIKE concat('%', ? ,'%') ;
and you should not use var inside SQL code .. you are at risk for sqlinjectiomn
for avoid this you should take a look at you db driver for prepared statement and binding param
eg for PDO
$st = $conn->prepare("SELECT * FROM table WHERE name LIKE concat('%', ? ,'%')");
$st->bindParam(1, $input, PDO::PARAM_STR, 255);
$st->execute();
Try This
$string = "input";
$sql = "select * from table where name like '%$string%'"
Create a variable and store value what you want to search
$where = "AND name like '%$string%'";
and put it after table name
$sql = "select * from table_name $where";
I have been trying to filter my data according to the c_type = "Engineering' and search keyword in the search box. The searching part is working fine but the query is not working it displays the whole result.
This is for filtering my result
$query1 = mysqli_query($conn, "SELECT * FROM col_details WHERE c_type = 'Engineering' and c_name LIKE '%{$name}%' OR location LIKE '%{$name}%' ");
I am trying to display all the results in my col_details table with c_type is Engineering and c_name or location is taken from the Search Box.
The search box code is working fine but it's displaying all data and not the data with c_type = 'Engineering'.
Any help appreciated.
Thanks.
Your OR clause should be wrapped in brackets,
Try this:
$query1 = mysqli_query($conn, "SELECT * FROM col_details WHERE c_type = 'Engineering' and (c_name LIKE '%{$name}%' OR location LIKE '%{$name}%') ");
Hope it helps.
$ten_desc=$_REQUEST['frm_num'];
$sql = "select * from TENDER_REG where TENDER_DESC LIKE:ten_desc%'";
$stmt=oci_parse($conn,$sql);
oci_bind_by_name($stmt,':ten_desc',$ten_desc);
displaying error please help
The SQL query string will likely confuse PHP and ORACLE. The following will make more sense to both. 1) there is one clear placeholder in the query string. 2) the value passed is complete.
Untested:
replace:
$sql = "select * from TENDER_REG where TENDER_DESC LIKE:ten_desc%'";
with:
$sql = "select * from TENDER_REG where TENDER_DESC LIKE :ten_desc";
and:
oci_bind_by_name($stmt,':ten_desc',$ten_desc);
with:
oci_bind_by_name($stmt,':ten_desc', $ten_desc .'%');
Alright so right now i am generating a report from submit button and it has two input type that are from and to but the thing is i want from and too date and the result isnt showing up from the database
$order_time=$_POST["datefrom"];
$order_time=$_POST["dateto"];
$query = "SELECT * FROM ss_orders where order_time='".$order_time."' limit 60";
Thats my above code , so is it possible to use between in that above query ? and also my data type in the database of order_time is datetime ? so why i am not getting any result ?
Thanks in advance :) Help will be appreciated :)
$order_time=$_POST["datefrom"];
$s= date("Y-m-d", strtotime($order_time));
$order_timeto=$_POST["dateto"];
$e= date("Y-m-d", strtotime($order_timeto));
$query = "SELECT * FROM ss_orders where datetime<=$s and datetime>=$e";
as a programmer you should check and debug your code in all possible ways,you can print what are the values these variables having and you cal also print the query so you can know what is the actual query executing.
$fromdate=$_POST["datefrom"];
$todate=$_POST["dateto"];
$query = "SELECT * FROM ss_orders where datetime<='$todate' and datetime>='$fromdate' limit 60";
and PDO/MYsqli for security
I'm trying to write a search function and am using multiple drop-down lists for search criteria.
i have a sql statement like
SELECT * FROM TABLE WHERE OFFICE='$office', NAME='$name', DEPARTMENT='$department';
Sometime I want to search with specific 'name' but without talking about 'department' and 'office'. But when I pass Blank '' to '$office' and '$department' it only return the person with no office and department. Is there anyway around to overcome it?
I tried to use '%' instead of blank but it didn't work as well.
I'm coding with php and MSSQL.
Thanks in Advance
If you want to work with wildcards, you dont need =, but LIKE. Unsure if this query works, but try it:
SELECT * FROM TABLE WHERE OFFICE LIKE '$office', NAME LIKE '$name', DEPARTMENT LIKE '$department';
Now you just have to check if the field is blank, if yes, replace it with a %. As i said, im unsure. I dont have a database availible at the moment for testing this.
for achieving this you have to write some php code like
$sql = "SELECT * FROM TABLE WHERE";
if(isset($office)){
$sql .= "OFFICE='$office',";
}
if(isset($name)){
$sql .= " NAME='$name',";
}
if(isset($department)){
$sql .= " DEPARTMENT='$department'";
}
You can easily do this as follow:
if(isset($office) && isset($department)){
$sql = "SELECT * FROM TABLE WHERE OFFICE='$office', NAME='$name', DEPARTMENT='$department'";
}
else{
$sql = "SELECT * FROM TABLE WHERE NAME LIKE '$name'";
}
mysql_query($connection, $sql);