SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Zealot WebFreakz's Avatar
    Join Date
    Dec 2006
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question ?? Searching MySQL whole table using PHP ??

    Ok here is my code that I am currently using to search the whole table for the search term... I am posting this up here because it does not work! It doesn't even find the search term in any of the fields in the table.

    PHP Code:
    $q1 "select * from members where members.firstname and members.lastname like '%$_GET[SearchTerm]%' order by firstname limit $Start$ByPage"

  2. #2
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Try this:
    Code:
    SELECT *
      FROM members
     WHERE members.firstname LIKE '%x%'
       AND members.lastname LIKE '%y%'
     LIMIT $Start, $ByPage
    my mobile portal
    ghiris.ro

  3. #3
    SitePoint Zealot WebFreakz's Avatar
    Join Date
    Dec 2006
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Ernie1 View Post
    Try this:
    Code:
    SELECT *
      FROM members
     WHERE members.firstname LIKE '%x%'
       AND members.lastname LIKE '%y%'
     LIMIT $Start, $ByPage
    Thanks for the help I tried what you suggested here is the code but it still does not work at all..

    PHP Code:
    $q1 "SELECT * FROM members 
    WHERE members.firstname like '%
    $_GET[SearchTerm]%' 
    AND members.lastname like '%
    $_GET[SearchTerm]%' 
    order by firstname limit 
    $Start$ByPage"

  4. #4
    play of mind Ernie1's Avatar
    Join Date
    Sep 2005
    Posts
    1,252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    or this:
    Code:
    SELECT *
      FROM members
     WHERE members.firstname LIKE '%x%'
        OR members.lastname LIKE '%y%'
     LIMIT $Start, $ByPage
    my mobile portal
    ghiris.ro

  5. #5
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,215
    Mentioned
    58 Post(s)
    Tagged
    3 Thread(s)
    using AND simply means that the search term must be found in ~both~ columns, which is unlikely unless your name is John St. John or Todd McToddleberry

    try OR instead

    alternatively, try this --
    Code:
    WHERE CONCAT(firstname,lastname) LIKE '%$_GET[SearchTerm]%'
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
    "giving out my real stuffs"

  6. #6
    SitePoint Zealot WebFreakz's Avatar
    Join Date
    Dec 2006
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by r937 View Post
    using AND simply means that the search term must be found in ~both~ columns, which is unlikely unless your name is John St. John or Todd McToddleberry

    try OR instead

    alternatively, try this --
    Code:
    WHERE CONCAT(firstname,lastname) LIKE '%$_GET[SearchTerm]%'
    Thanks for the help all. I tried what you suggested and I have had no luck. I tried using OR and I also tried
    Code:
    WHERE CONCAT(firstname,lastname) LIKE '%$_GET[SearchTerm]%'
    Still no luck. Pffffff

  7. #7
    SQL Consultant gold trophysilver trophybronze trophy
    r937's Avatar
    Join Date
    Jul 2002
    Location
    Toronto, Canada
    Posts
    39,215
    Mentioned
    58 Post(s)
    Tagged
    3 Thread(s)
    define "no luck"

    the server crashed? you got a php error? you got a mysql error? the query didn't return any results? the query ran but returned the wrong results?

    my Microsoft® CrystalBall© software is down at the moment...
    rudy.ca | @rudydotca
    Buy my SitePoint book: Simply SQL
    "giving out my real stuffs"

  8. #8
    SitePoint Zealot WebFreakz's Avatar
    Join Date
    Dec 2006
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by r937 View Post
    define "no luck"

    the server crashed? you got a php error? you got a mysql error? the query didn't return any results? the query ran but returned the wrong results?

    my Microsoft® CrystalBall© software is down at the moment...
    Ok I got it working using OR I must noit have refreshed the page after I made the code change thanks all problem solved... One more problem I will be posting in a new thread.. Thanks Again all

    V

  9. #9
    SitePoint Wizard bronze trophy Kailash Badu's Avatar
    Join Date
    Nov 2005
    Posts
    2,560
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Plus, never ever use $_GET directly in a SQL query though. It should be properly cleaned and escaped before you do that else you run risk of being attacked.

  10. #10
    SitePoint Zealot WebFreakz's Avatar
    Join Date
    Dec 2006
    Posts
    126
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kailash Badu View Post
    Plus, never ever use $_GET directly in a SQL query though. It should be properly cleaned and escaped before you do that else you run risk of being attacked.
    Thank you. So I should do something along the lines of this...
    $Search = $_GET[]

    Then use $Search in my query??

  11. #11
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There is no problem with $_GET array itself. You can use it if you wish. As long as $search variable, which just looks like more handy.

    But when building an SQL query, you have to follow a few simple but strict rules.
    If you put data into query, add quotes (as you did) and apply mysql_real_escape_string() function to the data. You have to do it always, no exceptions, no matter from where data has come - user input, text file or other query or anything. Quotes on the sides and the mysql_real_escape_string().

    So, it should be like this
    Code PHP:
    $Search=mysql_real_escape_string($_GET['SearchTerm']);
    $q1 = "SELECT * FROM members 
    WHERE members.firstname like '%Search%' 
    AND members.lastname like '%Search%' 
    order by firstname limit $Start, $ByPage";
    That's simple.
    But this applies only for data passed to the query. And there is other parts of query.
    $Start and $ByPage variables, for example, you can't treat that way.
    So, there is another rule:
    For any identifier or control structure in the query, never put it from user input. It must be evaluated in your script.
    $Start and $ByPage must be evaluated or, if passed to script ready to use, must be cast to integer, using intval()

    Same for identifiers. I hope you never add table name to the query dynamically, but sometimes it needs to add field names. E.g you call your script like this
    table.php?sortby=name
    where name is one of the table's fields.
    You shouldn't pass it to the query!
    And you can't defend it with quotes.
    So, evaluate it like this:
    Code PHP:
    $orders=array("name","price","qty");
    $key=array_search($_GET['sortby'],$orders));
    $orderby=$orders[$key];
    $query="SELECT * FROM `table` ORDER BY $orderby";

  12. #12
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,139
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    PHP Code:
    $q1 "SELECT * FROM members 
    WHERE members.firstname like '{%
    $_GET['SearchTerm']}%' 
    OR members.lastname like '%
    {$_GET['SearchTerm']}%' 
    order by firstname limit 
    $Start$ByPage"


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •