I have an HTML form like:
<form action = "get-row.php" method = "post" >
<input type = "text" name = "mess_username" />
<input type = "submit" name = "submit" />
</form>
And my "get-row.php" is like :
$button = $_POST ['submit'];
$search = $_POST ['mess_username'];
if (!$button) {
echo "you didn't submit a keyword";
}
else {
if (strlen($search) <= 1) {
echo "Search term too short";
}
else {
echo "You searched for <b> $search </b> <hr size='1' >";
}
}
I am now successfully getting the value I have searched for. My next approach is to search the $search from my Database. I am trying like:
mysql_connect("server", "user", "pass");
mysql_select_db("my_db");
My Final "ok" Code after currection :
$sql = " SELECT * FROM messbd WHERE mess_username= '$search' ";
$run = mysql_query($sql);
$foundnum = mysql_num_rows($run);
if ($foundnum == 0) {
echo "Sorry, there are no matching result for <b> $search </b>";
}
else {
echo "$foundnum results found !<p>";
while ($runrows = mysql_fetch_assoc($run)) {
$mess_username = $runrows ['mess_username'];
$mess_email = $runrows ['mess_email'];
$android_app = $runrows ['android_app'];
echo " $mess_username <br> $mess_email <br> $android_app ";
}
}
The problem is, I am getting the message that, "There are no matching results!" So what will be the correction there?
The problem is solved now & The code is updated above. Thanks.
Since your $search results will be a string, then you need to quote that variable in your query. I'm pretty sure that you're looking for a string in your database, seeing echo "you didn't submit a keyword"; and mess_username being a user's "name".
WHERE mess_username='$search' ";
assuming an exact match. If you're looking for something that resembles your search, say you're looking for "foot" and want to find "football", then use LIKE.
Also add or die(mysql_error()) to mysql_query() just in case there may be errors, and it seems that there would be, when not quoting a string in a query's variable.
Footnotes:
Your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO with prepared statements.
Plus, it's best to use a conditional empty() against your input.
I.e.:
if(!empty($_POST[ 'mess_username' ])){
...
}
should someone just click without entering anything, which could throw you an error.
With this query mysql will search for $search input insted for the relarive value of the var. Try to use single quotes.
You missed to quote your search term
$sql = 'SELECT * FROM messbd WHERE mess_username="' . mysql_real_escape_string($search) . '"';
But the mysql extension is deprecated and should be replaced by either PDO or mysqli. Here is an example with PDO and prepared statement:
$options = array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION);
$dbh = new PDO('mysql:host=server;dbname=my_db', 'user', 'pass', $options);
$sql = 'SELECT * FROM messbd WHERE mess_username=?';
$sth = $pdo->prepare($sql);
$sth->execute(array($search));
// there is no sure working rowCount, so fetch all and count
$rows = $sth->fetchAll(PDO::FETCH_ASSOC)
if (!$rows) {
echo "Sorry, there are no matching result for <b> $search </b>";
} else {
echo count($rows) . " results found !<p>";
foreach ($rows as $row) {
$mess_username = $row['mess_username'];
$mess_email = $row['mess_email'];
$android_app = $row['android_app'];
echo "$mess_username<br>$mess_email<br>$android_app";
}
}