Please check out this mock up of a search on my site:
LINK EXPIRED
The search doesn't return any results and no error messages are shown, why is this?
I have taken out my person information ie. host/username/password
HTML:
<h2>Search</h2>
<form name="search" method="post" action="<?=$PHP_SELF?>">
Seach for: <input type="text" name="find" /> in
<Select NAME="field">
<Option VALUE="fname">First Name</option>
<Option VALUE="lname">Last Name</option>
<Option VALUE="info">Profile</option>
</Select>
<input type="hidden" name="searching" value="yes" />
<input type="submit" name="search" value="Search" />
</form>
php:
<?php
//This is only displayed if they have submitted the form
if ($searching =="yes")
{
echo "<h2>Results</h2><p>";
//If they did not enter a search term we give them an error
if ($find == "")
{
echo "<p>You forgot to enter a search term";
exit;
}
// Otherwise we connect to our Database
mysql_connect("MYHOST", "MYUSERNAME", "MYPASSWORD") or die(mysql_error());
mysql_select_db("MYDATABSENAME") or die(mysql_error());
// We preform a bit of filtering
$find = strtoupper($find);
$find = strip_tags($find);
$find = trim ($find);
//Now we search for our search term, in the field the user specified
$data = mysql_query("SELECT * FROM users WHERE upper($field) LIKE'%$find%'");
//And we display the results
while($result = mysql_fetch_array( $data ))
{
echo $result['fname'];
echo " ";
echo $result['lname'];
echo "<br>";
echo $result['info'];
echo "<br>";
echo "<br>";
}
//This counts the number or results - and if there wasn't any it gives
them a little message explaining that
$anymatches=mysql_num_rows($data);
if ($anymatches == 0)
{
echo "Sorry, but we can not find an entry to match your query<br><br>";
}
//And we remind them what they searched for
echo "<b>Searched For:</b> " .$find;
}
?>
Thanks!
Jmames
You are assuming the server is using register_globals , which is a terrible terrible thing. You should do something like if ($_POST['searching'] =="yes")
instead. This is probaly also why nothing happens.
The docs says
This feature has been DEPRECATED as of PHP 5.3.0. Relying on this feature is highly discouraged.
Your code is also extremely vulnerable to SQL injection , which you can fix with mysql_real_escape_string .
Your query should look like this
$data = mysql_query("SELECT * FROM users WHERE upper(".mysql_real_escape_string($field).") LIKE'%".mysql_real_escape_string($find)."%'");
Did you write:
$searching = $_POST['searching'];
Before:
if ($searching =="yes")
?
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.