fozze Posted January 15, 2011 Share Posted January 15, 2011 Hi, Hoping someone could help me, im not great at php programming and im trying to implement a search form which searches a sql database but for some reason its not working i keep on getting the following error.. " Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\site\contact\search.php on line 141" Im not sure why this happens and its really starting to bug me now :/ I have to pages to the search feature, one page which contains the <form> and the other with the PHP code.... the form.. <form method="get" action="search.php"> <label>Search Term: <input type="text" id="query" name="query"/> </label> <label> <select name="category" id="category"> <option value="none">Please Select a Type</option> <option value="teamname">Manager Name</option> <option value="manager">Team Name</option> <option value="age">Age Group</option> </select> </label> <input name="Search" type="submit" value="Search"/> </form> the PHP code.. <?php $query=$_GET['query']; $db_host="localhost"; $db_username="root"; $db_password=""; $db_name="info"; $db_tb_name="info"; $db_tb_atr_name=$_GET['category']; mysql_connect("$db_host","$db_username","$db_password"); mysql_select_db("$db_name"); $query_for_result=mysql_query("SELECT * FROM $tb_name WHERE $db_tb_atr_name like '%".$query."%'"); while($data_fetch=mysql_fetch_array($query_for_result)) { echo "<p>"; echo $data_fetch['table_attribute']; echo "</p>"; } mysql_close(); ?> Id be really great full for any light you guys could shed on this for me with thanks, fozze Quote Link to comment Share on other sites More sharing options...
requinix Posted January 15, 2011 Share Posted January 15, 2011 You have a horrible SQL injection vulnerability. Never put stuff from $_GET or $_POST directly into a query unless you've scrutinized the data very, very carefully and/or used something like mysql_real_escape_string. if (in_array($_GET["category"], array("none", "teamname", "manager", "age"))) { // valid. continue } else { // invalid. do something about it } Anyways, if mysql_query returns a bool it's either a) true, because you ran an UPDATE or DELETE or something that doesn't return anything, or b) false, because there's a problem with the query. In your case (b) because the query doesn't mention which table to SELECT from. Lemme say that again: it does not mention the table. No, it doesn't. Look at your variables. Quote Link to comment Share on other sites More sharing options...
fozze Posted January 15, 2011 Author Share Posted January 15, 2011 hmmm.......in that case i might just start again :/ haha thanks for your help Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted January 15, 2011 Share Posted January 15, 2011 There's no need to start again. Build on what you already have there. Make sure your variable names are consistent, and not misspelled. Make sure you sanitize the variables that are populated with user-supplied data (think: form fields) before using them in a query string. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.