i have a simple search box but I am trying to avoid the result page returning all results in table when the query is %. how can that be done?
I think you want to use \%...
In your PHP,
$query = str_replace ( '%' , '\%' , $query )
$sql = "SELECT * FROM table WHERE column LIKE '%" . mysqli_real_escape_string($query) . "%'"
Are you sanitizing your inputs?
You can start with mysqli_real_escape_string()
$query = "SELECT * FROM table WHERE column LIKE '" . mysqli_real_escape_string($input) . "'";
Related
Using the code below, i am able to return all products that match the search word. However they order in a way that a product with a name different from the search phrase appears first and one with a matching name later because the description had a match.
How can i sort and return the products whose name matches the search phrase first?
$sqli = "
SELECT *
FROM product
WHERE";
Foreach($strarray as $key=>$value){
If($key > 0){
$sqli = $sqli . "OR";
}
$sqli = $sqli . " (Name LIKE '%" . $value . "%' or Description LIKE '%" . $value . "%')";
}
Add an ORDER BY clause:
$ssql .= " ORDER BY Name LIKE '%" . $value . "%' DESC"
A boolean expression is 1 for TRUE and 0 for FALSE, so sorting by a condition orders by whether the row matches the condition.
BTW, you should learn to use prepared statements to prevent SQL injection. See How can I prevent SQL injection in PHP?
This question already has answers here:
Search Form with One or More (Multiple) Parameters
(2 answers)
Closed 7 years ago.
I am trying to create a database with multiple fields for searching but it is displaying the entire database if there is an empty field. i suspect it is because of the OR's in the query and i am not sure how to fix it.
<?php
if (isset($_POST['Submit']))
{
$con = mysqli_connect();
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$surname = $_POST['surname'];
$firstname = $_POST['firstname'];
$maiden = $_POST['maiden'];
$birth = $_POST['birth'];
$death = $_POST['death'];
$keyword = $_POST['keyword'];
$sql = "SELECT * FROM obits WHERE surname LIKE '%" . $surname . "%' OR firstname LIKE '%" . $firstname . "%' OR maiden LIKE '%" . $maiden . "%' OR birth LIKE '%" . $birth . "%' OR death LIKE '%" . $death . "%' OR obittext LIKE '%" . $keyword . "%'";
$result = mysqli_query($con, $sql);
further down i have this:
if (isset($result) && $result->num_rows > 0);
then follows the table etc. i think i have all the pertinent info here. any suggestions? please use english rather than programmer, i am quite new at this. thanks in advance!
Let's look at one of the conditions:
surname LIKE '%" . $surname . "%'
Assuming, $surname is Miller here, you select all rows that have a surname like %Miller%. The % signs are wildcards, which can basically stand for anything. This means you are selecting all rows where the surname contains Miller with any string before or after it, including empty ones.
Now, if Miller would be empty in this case, you are looking for %%, so an empty string with anything before or after it -- so really any possible string. As a result, every row will be selected.
Since this is true not only for the surname, but for any of the columns, leaving any of the criteria blank will result in all rows being selected.
Find more info on SQL Wildcards.
To skip empty values in your where clause, you can build it dynamically:
$condition = "WHERE";
if(!empty($surname)){
$condition .= "surname LIKE '$surname' OR";
}
if(!empty($firstname)){
$condition .= "firstname LIKE '$firstname' OR";
}
// ...
$sql = "SELECT * FROM obits " . $condition;
Note:
There will be a trailing OR in the condition that you will have to remove.
If all conditions are blank, this will also lead to an error.
But it should give you an inpiration! :-)
Side Note:
You should look into prepared statements. Passing POST variables directly into an SQL statement is highly dangerous.
Im trying to make an easy Select from the db and save the results in an array.
$query = "SELECT ID FROM Publikationen WHERE Personen LIKE '%; " . $autor2 . "%';";
echo($query);
// get IDs
$res = mysqli_query($link,$query );
$i = 0;
while ($row = mysqli_fetch_assoc($res)){
echo($row['ID']);
$IDarray[$i]= $row['ID'];
$i++;
}
The $autor2 variable is an Name like: "Doe, John".
The code seems to not go in the loop, and mysqli_error after the loop is null so it seems im not getting results from the db.
When im copying the echo from $query in phpMyAdmin it works fine. Also when im using a Name instead $autor2 it also works fine and im getting my whole Array.
$query = "SELECT ID FROM Publikationen WHERE Personen LIKE '%" . $autor2 . "%'";
write this code.
As far as I can see in the SQL query, there's a syntax error.
You wrote :
SELECT ID FROM Publikationen WHERE Personen LIKE '%; " . $autor2 . "%';
but it should have been :
SELECT ID FROM Publikationen WHERE Personen LIKE '%" . $autor2 . "%';
Hope it helps!
Remove the semicolon from the query.
$query = "SELECT ID FROM Publikationen WHERE Personen LIKE '% " . $autor2 . "%'";
Simply use this -
$query = "SELECT ID FROM Publikationen WHERE Personen LIKE '%$autor2%'";
If the semicolon is important then use it but use the $author2 variable just inside single quote (' ').
I have an array $friends and I used $friend_new = join(',',$friends ); to get name1,name2,name3.
But when I use this query I got error:
$query = mysqli_query($connect_db, "SELECT * FROM post WHERE name IN ($friend_new )");
Does anyone know where the problem is?
You should use implode("','", $friends) and IN ('$friends_new') as these are string values.
Your code is vulnerable to injection. You should use properly parameterized queries with PDO / mysqli
Your list has to look like:
... IN ('friend1','friend2','friend3')
If you have an array of friends such as:
$friends = array("friend1","friend2","friend3");
You can use implode to prepare for use with an IN:
$friend_new = "'" . implode("','", $friends) . "'";
Finally,
SELECT * FROM post WHERE name IN ($friend_new)
The way you do it the individual strings won't be quoted, and that causes the error. As join allows you to specify a "glue" longer than 1 character you can do as follows:
$query = mysqli_query($connect_db,
"SELECT * FROM post " .
"WHERE name IN ('".join("', '", $friends)."') ";
or
$friend_new = join("', '", $friends);
$query = mysqli_query($connect_db,
"SELECT * FROM post " .
"WHERE name IN ('$friend_new') ";
that is, have join write the intermediate ', ' , and surround with ''
I apologize if this question has come up before, but I've looked and only found people who are only concerned with the actual result returned by
mysql_query($query);
I'm making a php/mysql page with ajax for a project where the user can create a database and perform a search by interacting with a few select boxes. I would also like to be able to print out the actual query generated by the php, just for testing.
if($dArray[0] == 'sb2a'){
$sql = "SELECT * FROM Vehicles WHERE " . $dArray[1] . " = \'" . $dArray[2] + "\'";}
print($sql);
It just prints 0 rather than something like
"SELECT * FROM Vehicles WHERE VID = '01'"
Any help would be greatly appreciated.
Near the end of your line of code setting the value for $sql:
. $dArray[2] + "\'";
That + should be a .
if($dArray[0] == 'sb2a')
{
$sql = "SELECT * FROM Vehicles WHERE " . $dArray[1] . " = \'" . $dArray[2] . "\'";
}
print($sql);
To concatenation we should always use '.'
Query should be like this.
$sql = "SELECT * FROM Vehicles WHERE {$dArray[1]} = '{$dArray[2]}'";