rotc_rachel Posted November 26, 2009 Share Posted November 26, 2009 Hello everyone, New to PHP and ran into another beginner issue. I've tried google for answers, but no luck with my specific problem. The goal I am going for is I have an database of Publications. The user is allowed to search by 'Author' which is a column name with in the database. So, on an html page I have a short form script that asks the user which Author to search for. The action= field executes to the php file where I use $_POST to store the user entered author into a variable called &author. From here I would like to SELECT * FROM publications WHERE author(column name) = &author. I then want to display the table, so I call a while loop and echo out the table. When I attempt to carry out the entire code, nothing shows. I am wondering if it is my SELECT statement that is incorrect or if my while look is not set up correctly. Below is the PHP code, I would greatly appreciate any help! <?php echo 'PHP Working'; // Connects to your Database mysql_connect("localhost", "root", "***") or die(mysql_error()); mysql_select_db("publications_db") or die(mysql_error()); $author = $_POST['author']; $data = mysql_query("SELECT * FROM publications WHERE author = '&author'") or die(mysql_error()); echo "<table border cellpadding=3>"; while($info = mysql_fetch_array( $data )) { echo "<tr>"; echo "<th>ID:</th> <td>".$info['pub_id'] . "</td> "; echo "<th>Title:</th> <td>".$info['title'] . " </td>"; echo "<th>Author:</th> <td>".$info['author'] . " </td>"; echo "<th>Year:</th> <td>".$info['yr'] . " </td>"; echo "<th>Journal:</th> <td>".$info['journal'] . " </td>"; echo "<th>Pages:</th> <td>".$info['num_pages'] . " </td></tr>"; } echo "</table>"; ?> Quote Link to comment Share on other sites More sharing options...
seksislav Posted November 26, 2009 Share Posted November 26, 2009 first dont forget to $author = addslashes($_POST['author']) variables, cuz some bad people can do bad stuff. For your query try $data = mysql_query("SELECT * FROM publications WHERE LIKE '%".$author.'%") or die(mysql_error()); Quote Link to comment Share on other sites More sharing options...
rotc_rachel Posted November 26, 2009 Author Share Posted November 26, 2009 Would you mind explaining the security risk you described? I'm interested in learning! Also, I switched out my SELECT statement, but it gives me an error on line 73 which is; echo "<th>ID:</th> <td>".$info['pub_id'] . "</td> "; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.