Jump to content

Recommended Posts

Hey guys, I'm trying to get this working... No errors right now, but I'm not returning any results :/ been messing with it for days.

 

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" />
<label for="search_by">Search By</label>
<select name="search_by">
    <option value"player">Player</option>
    <option value"city">City</option>
    <option value"alliance">Alliance</option>
    <option value"browse">Browse</option>
    </select>
    <input type="text" name"search">
    <input type="submit" value="search" name="search">
<?php
	$search_by = $_POST['search_by'];
$search = $_POST['search'];

	echo "<table><tr><td>Player</td><td>city</td><td>alliance</td><td>x</td><td>y</td><td>other</td><td>porters</td><td>conscripts</td><td>Spies</td><td>HBD</td><td>Minos</td><td>LBM</td><td>SSD</td><td>BD</td><td>AT</td><td>Giants</td><td>Mirrors</td><td>Fangs</td><td>ogres</td><td>banshee</td></tr>" ; 	

$dbc = mysqli_connect('xx', 'xx', 'xx', 'xx') or die ('Error connecting to MySQL server');

$sql = "SELECT * FROM players WHERE ('$search_by') LIKE ('$search') ";
//problem is here^^?? 
$result = mysqli_query($dbc,$sql)
  or die("Error: " .mysqli_error($dbc));

 

Not sure, any help would be greatly appreciated. :)

 

Link to comment
https://forums.phpfreaks.com/topic/247616-select-statement-trouble/
Share on other sites

Do the field names match the option values exactly?

Why are you using a LIKE search without using any kind of wildcard operator? All you'll get back that way are exact matches.

Where is the logic that would display any returned results?

 

Although it's another subject, you aren't validating/sanitizing/escaping the form data, making it susceptible to sql injection.

Do the field names match the option values exactly?

Why are you using a LIKE search without using any kind of wildcard operator? All you'll get back that way are exact matches.

Where is the logic that would display any returned results?

 

Although it's another subject, you aren't validating/sanitizing/escaping the form data, making it susceptible to sql injection.

 

The names match, I'm not sure how to use a wildcard operator. I'm really new to coding.

 

the logic is just a table. It works if I specify a select statement without the search:

 

$result = mysqli_query($dbc,$sql)
  or die("Error: " .mysqli_error($dbc));



	while ($row = mysqli_fetch_array ($result)) {
	echo '<tr><td>' . $row['player'] . '</td>';
	echo '<td>' . $row['city'] . '</td>';
 	echo '<td>' . $row['alliance'] . '</td>';
 	echo '<td>' . $row['x'] . '</td>';
	echo '<td>' . $row['y'] . '</td>';
	echo '<td>' . $row['other'] . '</td>';
	echo '<td>' . $row['porter'] . '</td>';
	echo '<td>' . $row['cons'] . '</td>';
	echo '<td>' . $row['spy'] . '</td>';
	echo '<td>' . $row['hbd'] . '</td>';
	echo '<td>' . $row['mino'] . '</td>';
	echo '<td>' . $row['lbm'] . '</td>';
	echo '<td>' . $row['ssd'] . '</td>';
	echo '<td>' . $row['bd'] . '</td>';
	echo '<td>' . $row['at'] . '</td>';
	echo '<td>' . $row['giant'] . '</td>';
	echo '<td>' . $row['fm'] . '</td>';
	echo '<td>' . $row['ft'] . '</td>';
	echo '<td>' . $row['ogre'] . '</td>';
	echo '<td>' . $row['banshee'] . '</td></tr>';  }
	echo '</table>'
?>
</body>
</html>

$sql = "SELECT * FROM players WHERE ('$search_by') LIKE ('$search') ";

 

If you echo out your SQL, you should see a problem. You have quotes around the $search_by which tells the database it is a literal string NOT a column name. And why do you have parenthesis around that and the search value?

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '$search' ";

$sql = "SELECT * FROM players WHERE ('$search_by') LIKE ('$search') ";

 

If you echo out your SQL, you should see a problem. You have quotes around the $search_by which tells the database it is a literal string NOT a column name. And why do you have parenthesis around that and the search value?

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '$search' ";

 

LOL. Because I was at the point of trying randomness to make it work...

 

I swear to god I've had it typed just like that about 13,000 times and had it not work. But right now, I'm getting no errors.

 

However, there seems to be a stranger problem. If I select the player option, and type in arrgh, I get nothing.. However, if I select alliance and type in wild mofos it displays some fake crap that I've added testing, not the actual data that I'm requesting, and the name arrgh is in the player column....

 

Is there another way I should be searching rather than LIKE??

 

Have you taken care of this yet?

 

Look really hard at these two lines. Notice anything wonky?

<input type="text" name"search">
<input type="submit" value="search" name="search">

 

Yeah, I just made the submit name submit instead of search...

 

 

$sql = "SELECT * FROM players WHERE ('$search_by') LIKE ('$search') ";

 

If you echo out your SQL, you should see a problem. You have quotes around the $search_by which tells the database it is a literal string NOT a column name. And why do you have parenthesis around that and the search value?

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '$search' ";

 

LOL. Because I was at the point of trying randomness to make it work...

 

I swear to god I've had it typed just like that about 13,000 times and had it not work. But right now, I'm getting no errors.

 

However, there seems to be a stranger problem. If I select the player option, and type in arrgh, I get nothing.. However, if I select alliance and type in wild mofos it displays some fake crap that I've added testing, not the actual data that I'm requesting, and the name arrgh is in the player column....

 

Is there another way I should be searching rather than LIKE??

 

It appears that it's returning those ones because of the space in wild mofos? and those results have no alliance? Not sure though... You can see what I'm on about http://www.pricepcrepair.com/artofwar/browse.php :/

% is the wildcard character.

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '$search%' ";

This will give you data that starts with the letters you searched.

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '%$search' ";

This will give you data that ends with the characters you searched.

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '%$search%' ";

 

This will combine the two, and give you results that start, end, or in-between.

 

 

 

Although it's another subject, you aren't validating/sanitizing/escaping the form data, making it susceptible to sql injection.

 

Sorry for the double post again. But, how would I go about doing ^^ ? Or I guess, do you have time to explain it a bit?

 

 

 

Although it's another subject, you aren't validating/sanitizing/escaping the form data, making it susceptible to sql injection.

 

Sorry for the double post again. But, how would I go about doing ^^ ? Or I guess, do you have time to explain it a bit?

 

This explains it a bit. http://www.zymic.com/tutorials/php/sanitisation-and-validation-in-php/

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.