PHP and MySql Search Form

Hello There,
Need some help with a Database i am working on. (mysql and php)
Here is the basic data
Database Name= Customer
Table Name=CustomerId

Table Row= | CustPhone | CustId | CustAdd | CustCity | CustState
1st row = 7871231123+ N123 + 123 Elm St + New York+ NY

Basically i need a search form thats able to pull the cust profile. when i enter the customers phone number the id or the add with city and state
but my search is turning you forgot to enter a search term whats wrong the code?

the first one is Customerform.php

<html>

<head>
<title>Searching for a customer...</title>
</head>

<h2>Search</h2>

<form name="search" method="post" action="custsearch.php">
Seach for: <input type="text" name="find" /> in
<Select NAME="field">
<Option VALUE="CustPhone">Phone Number</Option></option>
<Option VALUE="CustId">Cust ID</option>
<Option VALUE="CustAdd">Address</option>
<Option VALUE="CustCity">City</option>
<Option VALUE="CustState">State</option>
</Select>

<input type="submit" name="search" value="Search" />
</form>

</body>

</html>

and the 2nd is custsearch.php

<html>
<head><title>Searching for a Customer...</title>
</head>

<?php

echo "<h2>Search Results:</h2><p>";

//If they did not enter a search term we give them an error
if ($find == "")
{
echo "<p>You forgot to enter a search term!!!";
exit;
}

// Otherwise we connect to our Database
mysql_connect("localhost:8888", "Admin", "xxxx") or die(mysql_error());
mysql_select_db("customer") or die(mysql_error());

echo "Successful Connection </br> <hr />";

mysql_select_db("customer") or die (mysql_error());
echo "Connected to Database </br> <hr />";

// We perform a bit of filtering
$find = strtoupper($find);
$find = strip_tags($find);
$find = trim ($find);

//Now we search for our search term, in the field the user specified
$data = mysql_query("SELECT * FROM bldgid WHERE upper($field) LIKE'%$find%'");

//And we display the results
while($result = mysql_fetch_array( $data ))
{
echo $result['CustPhone'];
echo " ";
echo $result['CustId'];
echo "<br>";
echo $result['CustAdd'];
echo "<br>";
echo "<br>";
}

//This counts the number or results - and if there wasn't any it gives them a little message explaining that
$anymatches=mysql_num_rows($data);
if ($anymatches == 0)
{
echo "Sorry, but we can not find an entry to match your query...<br><br>";
}

//And we remind them what they searched for
echo "<b>Searched For:</b> " .$find;
//}
?> 


</body>
</html>

any suggestions thanks!!!

I think I might have misread your post… Give me a second here… (It’s been a long day. )

Why are you wrapping field in upper()?

Ah, I think I got it… Change your if to the following:

if ($_POST['find'] == "")

(But make sure you sanitize that.)

I’d use

if(empty($_POST['find'])){ echo 'no search term'; }

versus “”
Type Comparison

thanks for the quick reply guys !!
I made a couple of changes and fixed a couple of mistakes but im still not able to pull the customers profile… any other suggestions now i am getting
Sorry, but we can not find the customer…

Your form is giving you the data in $_POST method, but you are not reading these values in the second half of your script.

$find = $_POST['find'];
$field = $_POST['field'];

As mentioned by Wolf22 you need to check the data coming in on the text field for sql attack before giving it as a basis to query your database

Ok So it should look like this (im not home so i cant really test it)

 <html> <head><title>Searching for a Customer...</title> </head>  
<?php  echo "<h2>Search Results:</h2><p>"; 
//If they did not enter a search term we give them an error
 $find = $_POST['find'];
$field = $_POST['field']; 
{ echo "<p>You forgot to enter a search term!!!"; exit; } 
 // Otherwise we connect to our Database mysql_connect
("localhost:8888", "Admin", "xxxx") or die(mysql_error()); mysql_select_db("customer") or die(mysql_error()); 

No you need to sanitise $_POST[‘find’], etc. There are mamy threads on this board about how to do it.

Ok thanks guys i will look into this right away!!