Jump to content

Select statement trouble

dp69_2001

By dp69_2001
in PHP Coding Help

 Share

Recommended Posts

dp69_2001 Newbie

dp69_2001

Posted
Posted

Hey guys, I'm trying to get this working... No errors right now, but I'm not returning any results :/ been messing with it for days.

 

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" />
<label for="search_by">Search By</label>
<select name="search_by">
    <option value"player">Player</option>
    <option value"city">City</option>
    <option value"alliance">Alliance</option>
    <option value"browse">Browse</option>
    </select>
    <input type="text" name"search">
    <input type="submit" value="search" name="search">
<?php
	$search_by = $_POST['search_by'];
$search = $_POST['search'];

	echo "<table><tr><td>Player</td><td>city</td><td>alliance</td><td>x</td><td>y</td><td>other</td><td>porters</td><td>conscripts</td><td>Spies</td><td>HBD</td><td>Minos</td><td>LBM</td><td>SSD</td><td>BD</td><td>AT</td><td>Giants</td><td>Mirrors</td><td>Fangs</td><td>ogres</td><td>banshee</td></tr>" ; 	

$dbc = mysqli_connect('xx', 'xx', 'xx', 'xx') or die ('Error connecting to MySQL server');

$sql = "SELECT * FROM players WHERE ('$search_by') LIKE ('$search') ";
//problem is here^^?? 
$result = mysqli_query($dbc,$sql)
  or die("Error: " .mysqli_error($dbc));

 

Not sure, any help would be greatly appreciated. :)

 

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

Do the field names match the option values exactly?

Why are you using a LIKE search without using any kind of wildcard operator? All you'll get back that way are exact matches.

Where is the logic that would display any returned results?

 

Although it's another subject, you aren't validating/sanitizing/escaping the form data, making it susceptible to sql injection.

Link to comment
Share on other sites
dp69_2001 Newbie

dp69_2001

Posted
  • Author
Posted

Do the field names match the option values exactly?

Why are you using a LIKE search without using any kind of wildcard operator? All you'll get back that way are exact matches.

Where is the logic that would display any returned results?

 

Although it's another subject, you aren't validating/sanitizing/escaping the form data, making it susceptible to sql injection.

 

The names match, I'm not sure how to use a wildcard operator. I'm really new to coding.

 

the logic is just a table. It works if I specify a select statement without the search:

 

$result = mysqli_query($dbc,$sql)
  or die("Error: " .mysqli_error($dbc));



	while ($row = mysqli_fetch_array ($result)) {
	echo '<tr><td>' . $row['player'] . '</td>';
	echo '<td>' . $row['city'] . '</td>';
 	echo '<td>' . $row['alliance'] . '</td>';
 	echo '<td>' . $row['x'] . '</td>';
	echo '<td>' . $row['y'] . '</td>';
	echo '<td>' . $row['other'] . '</td>';
	echo '<td>' . $row['porter'] . '</td>';
	echo '<td>' . $row['cons'] . '</td>';
	echo '<td>' . $row['spy'] . '</td>';
	echo '<td>' . $row['hbd'] . '</td>';
	echo '<td>' . $row['mino'] . '</td>';
	echo '<td>' . $row['lbm'] . '</td>';
	echo '<td>' . $row['ssd'] . '</td>';
	echo '<td>' . $row['bd'] . '</td>';
	echo '<td>' . $row['at'] . '</td>';
	echo '<td>' . $row['giant'] . '</td>';
	echo '<td>' . $row['fm'] . '</td>';
	echo '<td>' . $row['ft'] . '</td>';
	echo '<td>' . $row['ogre'] . '</td>';
	echo '<td>' . $row['banshee'] . '</td></tr>';  }
	echo '</table>'
?>
</body>
</html>

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted 

$sql = "SELECT * FROM players WHERE ('$search_by') LIKE ('$search') ";

 

If you echo out your SQL, you should see a problem. You have quotes around the $search_by which tells the database it is a literal string NOT a column name. And why do you have parenthesis around that and the search value?

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '$search' ";

Link to comment
Share on other sites
dp69_2001 Newbie

dp69_2001

Posted
  • Author
Posted 

$sql = "SELECT * FROM players WHERE ('$search_by') LIKE ('$search') ";

 

If you echo out your SQL, you should see a problem. You have quotes around the $search_by which tells the database it is a literal string NOT a column name. And why do you have parenthesis around that and the search value?

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '$search' ";

 

LOL. Because I was at the point of trying randomness to make it work...

 

I swear to god I've had it typed just like that about 13,000 times and had it not work. But right now, I'm getting no errors.

 

However, there seems to be a stranger problem. If I select the player option, and type in arrgh, I get nothing.. However, if I select alliance and type in wild mofos it displays some fake crap that I've added testing, not the actual data that I'm requesting, and the name arrgh is in the player column....

 

Is there another way I should be searching rather than LIKE??

 

Link to comment
Share on other sites
dp69_2001 Newbie

dp69_2001

Posted
  • Author
Posted 

$sql = "SELECT * FROM players WHERE ('$search_by') LIKE ('$search') ";

 

If you echo out your SQL, you should see a problem. You have quotes around the $search_by which tells the database it is a literal string NOT a column name. And why do you have parenthesis around that and the search value?

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '$search' ";

 

LOL. Because I was at the point of trying randomness to make it work...

 

I swear to god I've had it typed just like that about 13,000 times and had it not work. But right now, I'm getting no errors.

 

However, there seems to be a stranger problem. If I select the player option, and type in arrgh, I get nothing.. However, if I select alliance and type in wild mofos it displays some fake crap that I've added testing, not the actual data that I'm requesting, and the name arrgh is in the player column....

 

Is there another way I should be searching rather than LIKE??

 

It appears that it's returning those ones because of the space in wild mofos? and those results have no alliance? Not sure though... You can see what I'm on about http://www.pricepcrepair.com/artofwar/browse.php :/

Link to comment
Share on other sites
jcbones Newbie

jcbones

Posted
Posted

% is the wildcard character.

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '$search%' ";

This will give you data that starts with the letters you searched.

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '%$search' ";

This will give you data that ends with the characters you searched.

 

$sql = "SELECT * FROM players WHERE $search_by LIKE '%$search%' ";

 

This will combine the two, and give you results that start, end, or in-between.

 

Link to comment
Share on other sites
jcbones Newbie

jcbones

Posted
Posted

 

 

Although it's another subject, you aren't validating/sanitizing/escaping the form data, making it susceptible to sql injection.

 

Sorry for the double post again. But, how would I go about doing ^^ ? Or I guess, do you have time to explain it a bit?

 

This explains it a bit. http://www.zymic.com/tutorials/php/sanitisation-and-validation-in-php/

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.