0
I am listing some information from the mysql database, something very simple at first but I have the following problem:
I run the code to search from a form and list the data according to the search. The problem is that, some terms that appear in the database php does not return as "nothing found", what is strange is that: If I do the same query directly in sql it returns all the data correctly as they are in the database.
ABSTRACT: I DO THE SEARCH WITH PHP USING FORM, BUT RETURNS IN SEVERAL CASES AS NOT FOUND. BUT IF I RUN THE SAME DIRECT CODE IN SQL, IT RETURNS THE DATA CORRECTLY.
MY SEARCH CODE:
SELECT * FROM `NOME DA TABELA` WHERE title LIKE '%$pesquisa%' OR code LIKE '%$pesquisa%'
This process is so simple that I’m losing my hair for this mistake. Someone could give an idea by doing a great favor?
Probably you are having error with sql-Injection, it is not causing "hack", but this causing syntax error in the query and as you do not handle the errors you probably wrote PHP badly and so do not know that there was an error, just send to the output "nothing found", however instead of using strings in PHP to query, prefer the
bind_param
https://www.php.net/manual/en/mysqli-stmt.bind-param.php, which will solve sql-Injection and syntax errors generated by the variables or can also use sql-Injectionmysqli_real_escape_string
in the variables.– Guilherme Nascimento
I voted to close because your question is not clear, and as the past information is few only to assume that the error is with syntax error due to variable
$pesquisa
have not been dealt with, so the questions that Linkei above should teach you how to use bind_param or mysqli_real_escape_string– Guilherme Nascimento
@Guilhermenascimento It was very good your answer, I thank you very much. Now I am redoing the code and I will treat the errors, I will also use the guidelines. As soon as I give the feedback.
– André Garcia
Problem solved by following the above guidance of @Guilhermenascimento Refiz code using PDO, ran the query with prepare and bindValue. the query became: "SELECT * FROM 'table name' WHERE title LIKE ?" bindeValue(1, $search); Thanks for the help!
– André Garcia
You didn’t have to do it in PDO, by the way, in matters like mysqlnd (Native driver) mysqli has PDO support, which is a great advantage, because nativedriver helps to get a significantly better performance, in the link I posted above the rray has example with mysqli: https://answall.com/a/3869/3635 ... but I’m glad you got the Binds right ;)
– Guilherme Nascimento