Search function not working

[PiggyPiglet]

Hi, Currently i'm in the process of making a minecraft shop. I have a custom made plugin for the server that sends info to MySQL. It sends the UUID, player name and donation rank. When the donation rank is changed, the ingame rank is changed. Basically I wan't players to type their names in and then php searches for the name. If the name is there, they get accepted through to the store page. When a user buys a rank or perk, the website sends a query changing the donation rank number. I'm struggling with the search part atm. Heres my code.

<!DOCTYPE html>
<form  method="post" action="testy.php"searchform">
  <input  type="text" name="name">
  <input  type="submit" name="submit" value="Search">
</form

<?php

 if(preg_match("/^[  a-zA-Z]+/", $_REQUEST['name'])){

 $name=$_REQUEST['name'];

$servername = "removed";

$username = "removed";

$password = "removed";

$dbname = "removed";

 

// Create connection

$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection

if ($conn->connect_error) {

    die("Connection failed: " . $conn->connect_error);

} 

  //-query  the database table

  $sql="SELECT  UUID, player_name, donation_rank FROM store_data WHERE player_name LIKE '%" . $player_name .  "%' ";

 

   //-run  the query against the mysql query function

$result = $conn->query($sql);

 

    //-create  while loop and loop through result set

    while($row=mysql_fetch_array($result)){

      $UUID  =$row['UUID'];

      $player_name=$row['player_name'];

      $donation_rank=$row['donation_rank'];

 

  //-display the result of the array

  echo "<ul>\n";

  echo "<li>" . "<a  href=\"search.php?id=$UUID\">"   .$UUID . " " .  "</a></li>\n" ;

  echo  $donation_rank . " " .  "</a>\n";

  echo "</ul>";

}

?>

 

 

[bsmither]

Please verify the name of the variable you have assign $_REQUEST['name'] to, versus the name of the variable in the query.

[PiggyPiglet]

I'm not sure. I just got this code from a website. Sorry i'm very new to php. 

Cant find the website.. Really sorry. I think the $_REQUEST['name'] is in the html file tho. <input type="text" name="name">

[Jacques1]

If you want help, you'll have to be a lot more specific than “It doesn't work”.

 

Are you getting an error message? If so, which one? A blank page? Something else? What's the content of $_REQUEST after you've received the form parameters?

var_dump($_REQUEST);

Note that using $_REQUEST is generally a bad idea, because it's a mixture of many different sources (form parameters, URL parameters, cookies, ...). If the sources happen to share some names, the parameters will overwrite each other, which can lead to bugs and even security vulnerabilities. What you should do instead is use specific sources like $_POST.

 

Also note that you have a syntax error in your HTML markup:

<form  method="post" action="testy.php"searchform">

The closing form tag is also incomplete (but maybe that's just a copy-and-paste error).

 

In any case, let's not play hide-and-seek. Tell us what your problem is, and we'll try to help you.

[mac_gyver]

the suggestion bsmither made has to do with a variable you are assigning a value to on line 3 in the posted code and a later line of code that's supposed to be using that same variable to supply a value to the sql query statement. they don't match and you would have probably gotten them correct if you had just written the code yourself rather than copy it from somewhere on the web.

 

here's a laundry list of things your code should/shouldn't be doing -

 

1) use a get method form for a search function.

 

2) don't use $_REQUEST variables. Use the proper $_GET, $_POST, or $_COOKIE that you expect the data to be in.

 

3) when you validate input data, set up and output a message to the visitor when that data isn't valid. what happens now if a submitted name doesn't match your preg_match() statement? don't leave the visitor wondering why a web page doesn't display anything.

 

4) use a prepared query to supply data to the sql query statement. your current code, that's putting the (wrong) php variable directly into the sql query statement, is open to sql injection (someone could inject sql and get your current code to display the complete contents of any database table you have.) unfortunately, the php mysqli extension is not the best choice to use, ever, and more so with prepared queries. if you can switch to use the php PDO extension.

 

5) don't unconditionally output database errors to the visitor (your connection code now). unfortunately, your code isn't even checking for an error when it runs the sql query statement. the easiest way of checking for errors is to use exceptions. this will eliminate the need to add program logic at each database statement that can fail with an error (the connection and query statements.) if you let php catch the exception, it will use the php error_reporting/display_errors/log_errors settings to control what will happen with the actual error information. when learning, developing, and debugging php code, you would display all errors. on a live server, you would log all errors.

 

6) for a search, if the query doesn't match any data, set up and output a message to the visitor telling them so. again, don't leave the visitor wondering why a web page isn't displaying anything.

 

7) when updating old mysql_ based code, you have to update all the mysql_ statements. you missed one and there would be a run-time php error alerting you to the problem. do you have php's error_reporting set to E_ALL and display_errors set to ON (preferably in the php.ini on your development system) so that php would help you by reporting and displaying all the errors it detects?

 

you should separate the database specific code (that knows how to query and retrieve data) from the presentation code (that knows how to produce the output from the data.) doing this will make it easier to test your code and make your code more general purpose and easier to reuse. the way to do this is to store the fetched data into a php variable in the database specific code, then just use that php variable in the presentation code. this also makes it easy to implement item #6. you can just test if the php variable is empty or not to output the message to the visitor.

 

9) there's no good reason to copy values from one variable to another. when you switch to use a prepared query for the search, you would just use $_GET['name'] in the code. this would eliminate (one of) the current problems in the code. when you loop over the data from the query, don't copy values from the $row[...] variables into other variables. this is just wasting your time typing (and i'm pretty sure you are not doing this as part of a typing class.) just use the $row[...] variable where it is needed.

 

10) when outputting dynamic/variable values on a web page, because they can consist of any value that was allowed to be input/created, you need to apply htmlentities() to the output.

 

11) you can put php variable directly inside of a double-quoted string. this will simplify your code when producing output. you have a mess now and there's at least one extra </a> and some missing or misplaced <li></li> tags.

 

12) you should validate the html that your code outputs at validator.w3.org this would help find some of the problems mentioned in item #11.

 

13) if you store your database connection credentials in an external .php file and require it into your main code, you won't have to take the time to edit code when posting it on a help forum. 

Edited December 15, 2016 by mac_gyver