2
I’m trying to make an empty select, which if no option selected pulls all the results, using the AND in the SELECT form forces me to choose some option, how can I resolve this? Follows the codes:
<form action="index2.php" method="post" >
<input type="hidden" name="submitted" value="true">
<label for="">Nome:
    <input type="text" name="nome" />
</label>
<label for="">Tipo:
    <select name="tipo" id="">
        <option value=""></option>
        <option value="P">Personagem</option>
        <option value="R">Reino</option>
        <option value="I">Item</option>
        <option value="A">Ação</option>
    </select>
</label>
<label for="">Vida: 
    <input type="text" name="vida">
</label>
<label for="">Força: 
    <input type="text" name="forca">
</label>
<input type="submit">
</form>
--
$nome = $_POST['nome'];
$tipo = $_POST['tipo'];
$vida = $_POST['vida'];
$forca = $_POST['forca'];
$query = "SELECT * 
FROM WoH 
WHERE NOME LIKE '%".$nome."%' 
AND `TIPO` = '$tipo' 
AND `VD` = '$vida'
";
The search does not work because there is no "" line in my TYPE column. If I take the empty option, leaving the character option as default, it only looks for the characters, how can I do so that somehow when the user wants to search the cards in ALL types, the default option brings me this result?
Unrelated to the question problem (already answered by @Jorgeb.), your query gives opportunity to SQL Injection. Then take a look at this question: http://answall.com/questions/3864/
– Bacco
I have the following function in this file, which I did not paste here. Function escape($string){ Return htmlentities(Trim($string), ENT_QUOTES, 'UTF-8'); } This resolves, not?
– Matt Costa
This is not exactly the case, even htmlentities serve to generate the display for use in HTML, and not in the database. For example, htmlentities converts
<for<, and so it goes. The ideal would be to use Binding, as described in the link. The way you did, even "gives a good disguise", but gets a little confused. mysqli does this automatically for you, just use stmt bind_param: http://www.php.net/manual/en/mysqli-stmt.bind-param.php– Bacco