Dynamically search SQL table and display on HTML using PHP and JavaScript

Question

I have a form where I want the user to select an Organization from a SQL table and when the form is submitted, the ID of the selected organization should be saved to a different table. I researched online and on SO, and this is what I have now. And it does not work. What's wrong? Newbrand.php:

<form action="newbrand.php" method="post">

        Brand Name: <input type="text" name="bname" /><br><br>
        Ogranization: <input type="text" name="searchbar" id="searchbar"><br><br>
        <script>
        $("#searchbar").keyup(function(){
        var searchTerm = $(this).val();

        $.post('search.php', { search_term: searchTerm}, function(data){

            $(".searchResults").html(data);
            $("#searchUl").css("display", "block");
            });
        });
        </script>
        Organization ID: <input type="hidden" name="gid" value="" /><br><br>
        Gallery ID: <input type="text" name="gid" /><br><br>
</form>

Search.php:

<?php
include 'db_connect.php';
$link = mysqli_connect($host, $username, $password, $db);

$search_term = sanitize(htmlentities($_POST['search_term']));

if (!empty($search_term)){

$search = "(SELECT `Organization_Name` FROM `organizations_info` WHERE `Organization_Name` LIKE '%$search_term%'  LIMIT 0, 5) ";
$query = mysqli_query($link, $search);
$result = mysqli_num_rows($query);

while ($row = mysqli_fetch_assoc($query)){
    #$user_id = $row['user_id'];
    #$username = $row['username'];
    $orgname = $row['Organization_Name'];
    $check = mysqli_num_rows($query);



    if ($check != 0){
        echo "<a style='text-decoration: none; color: black;' href='newbrand.php?band=$orgname'><li class='searchResults'>" . ucfirst($orgname) . "</li></a>";
    } else {
        echo "<li class='searchResults'>No Results Found</li>";
    }
}
}
?>

Answer 1

The problem is with your query. It's not passing the value of $search_term , but rather passing it as a string. You may want to use prepared statements and bind the parameter first:

$stmt = mysqli_prepare($link, "SELECT `Organization_Name` FROM `organizations_info` WHERE `Organization_Name` LIKE ? LIMIT 0, 5");
mysqli_stmt_bind_param($stmt, "s", "%{$search_term}%");

mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $organizaton_name);

while (mysqli_stmt_fetch($stmt)) {

}

Reference: mysqli SELECT With Prepared Statements

Answer 2

I searched the web for this function and found this. I copyed your source and got it working like this:

$search = "(SELECT Organization_Name FROM organizations_info WHERE Organization_Name LIKE '%". $search_term . "%' LIMIT 0, 5) ";

As you can see I changed the '%". $search_term . "%' , because you can't just place strings in sql query that is between "", you have to cut it in pieces, hope you understand now. I don't go on this site often, so it would be cool if you send me an mail if it fixed the problem to sceptdeckheroes@gmail.com, would like to hear from you, good luck.