PHP mySQL search script for website

Question

I highly appreciate that you try to help me. My problem is this script:

<?php include("inc/incfiles/header.inc.php"); ?>
<?php
$list_user_info = $_GET['q'];
if ($list_user_info != "") { 
$get_user_info = mysql_query("SELECT * FROM users WHERE username='$list_user_info'");
$get_user_list = mysql_fetch_assoc($get_user_info);
$user_list = $get_user_list['username'];
$user_profile = "profile.php?user=".$user_list;
$profilepic_info = $get_user_list['profile_pic'];
if ($profilepic_info == "") {
$profilepic_info = "./img/avatar.png";
}
else {
$profilepic_info = "./userdata/profile_pics/".$profilepic_info;
}
if ($user_list != "") {
?>
<br>
<h2>Search</h2>
<hr color="#FF8000"></hr>
<div class="SearchList">
<br><br>
<div style="float: left;">
<a href="<?php echo $user_profile; ?>"><img src="<?php echo $profilepic_info; ?>"   height="50" width="50"></a>
</div>
<?php echo "<h1>".$user_list."</h1>"; ?>
</div>
<?php
}
else {
echo "<br><h3>User was not found</h3>";
}
}
else {
echo "<br><h3>You must specify a search query</h3>";
}
?>

I am creating a search script that takes the mysql databse information and shows the result associated to the search query. My script is the above, but keep in mind the sql connection is established in an extern scipt.

The problem is that i want the script to first check if the user is found with the search query in the username row, and then get the entre information from that user and display it. If the user is not found with the username query, it should try and compare the search query with the name row, and then with the last name row. If no result is displayed it should then return an else statement with an error, eg "No user wsas found"

Yours sincerely, Victor Achton

Answer 1

Do the query as Muhammet Arslan ... but just counting the rows would be faster ...

if(mysql_num_rows($get_user_info)){
    //not found
}

you should add a "Limit 1" at the end if you are just interested in one result (or none).

But read about prepared statements pdo.prepared-statements.php

This is how it should be done in 2013!

Answer 2

Already you did ,but you can improve it by using "AND" or "OR" on ur sql statement.

$get_user_info = mysql_query("SELECT * FROM users WHERE username='$list_user_info' or name = '$list_user_info' or last_name = '$list_user_info'");
$get_user_list = mysql_fetch_assoc($get_user_info);

if(empty($get_user_list))
{
echo "No User was found";
}

and you should control $list_user_info or u can hacked.

Answer 3

Something like this but you don't need 3 queries for this. you can always use OR in mysql statements

$handle1    = mysql_query("SELECT * FROM users WHERE username = $username");        // Username
if (($row   = mysql_fetch_assoc($handle1) !== false) {
    // username is found
} else {
    $handle2    = mysql_query("SELECT * FROM users WHERE name = $name");        // name
    if (($row   = mysql_fetch_assoc($handle2) !== false) {
        // name is found
    } else {
        $handle3   = mysql_query("SELECT * FROM users WHERE lastname = $lastname"); // Last name
        if (($row   = mysql_fetch_assoc($handle3) !== false) {
            // last name is found
        } else {
            // nothing found
        }
    }
}

Answer 4

Here some adapted copy pasting from php.net

Connect

try {
    $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
    foreach($dbh->query('SELECT * from FOO') as $row) {
        print_r($row);
    }
    $dbh = null;
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}

fetch data

$stmt = $dbh->prepare("SELECT * FROM users where name LIKE '%?%'");
if ($stmt->execute(array($_GET['name']))) {
  while ($row = $stmt->fetch()) {
    print_r($row);
  }
}

the rest is your programing ...

And do some reading it's very dangerous to use copied code without understanding !