Jump to content

Need help with this search script

CodyNPaige

By CodyNPaige
in PHP Coding Help

Recommended Posts

CodyNPaige Newbie

CodyNPaige

Posted
Posted

When I open the page in browser it list everything that's in my DB without searching for anything. What is wrong to make it do this?

 

<form method="post" action="<?=$PHP_SELF?>">
<center>
    <table border="0" cellpadding="0" width="100%">
      <tr>
        <td width="30%">
  <p align="right">Search For GID Number:</p></td>
        <td width="80%"><input type="text" name="searchterm"></td>
      </tr>
</table>
</center>
<p align="left">
<input type="submit" value="Search"><br><br>
</form>

<?php
include('fbvar.php');

/*set varibles from form */
$searchterm = $_POST['searchterm'];
trim ($searchterm);

/*check if search term was entered*/
if (!$searchterm){
        echo 'Please enter a search term.';
}
/*add slashes to search term (')(")*/
if (!get_magic_quotes_gpc())
{
$searchterm = addslashes($searchterm);

}

/* connects to database*/
@ $dbconn = new mysqli($databaseserver, $databaseuser, $databasepass, $databasename); 
if (mysqli_connect_errno()) 
{
echo 'Error: Could not connect to database.  Please try again later.';
exit;
}

/*query the database*/
$query = "SELECT gid, gift FROM $gifts WHERE gift like '%".$searchterm."%' ORDER BY gid";
$result = $dbconn->query($query);

/*number of rows found*/
$num_results = $result->num_rows;

echo '<p>Found: '.$num_results.'</p>';
/*loops through results*/
for ($i=0; $i <$num_results; $i++)
{
$num_found = $i + 1;
$row = $result->fetch_assoc();
echo "$num_found. ".($row['gid']).' '.($row['gift'])." <br />";
}
/*free database*/
$dbconn->close();
//End of the Search Database form
?>

Link to comment
https://forums.phpfreaks.com/topic/253124-need-help-with-this-search-script/
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

You should program with all errors displayed.

 

You've used $_POST['searchterm'] before making sure it exists.

You addslashes() to the posted data, when you should be stripping slashes if magic_quotes is enabled, and using mysqli->escape_string()

You've used $gifts in your query, though it hasn't been defined anywhere. If it's defined in the include, you should make sure it exists before using it.

You don't check if your query is executing successfully. mysqli->query() will return FALSE if the query has failed, and mysqli->error will be a string containing the error information.

 

To turn on errors, place the code in my signature at the TOP of your script.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.