I've successfully written a search engine in PHP,
After testing it, there's one thing that bothers me.
First error
(mysql_fetch_array() expects parameter 1 to be resource, boolean given in)
Second error
(mysql_num_rows() expects parameter 1 to be resource, boolean given in)
Sorry, but we can not find an entry to match your query...
here's the code
<?php
echo "<h2>Search Results:</h2><p>";
//If they did not enter a search term we give them an error
if ($find == "Account_Number")
{
echo "<p>You forgot to enter a search term!!!";
exit;
}
// Otherwise we connect to our Database
mysql_connect("localhost", "username", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
// We perform a bit of filtering
$find = strtoupper($find);
$find = strip_tags($find);
$find = trim ($find);
//Now we search for our search term, in the field the user specified
$data = mysql_query("SELECT * FROM memaccounts WHERE upper($field) LIKE'%$find%'");
//And we display the results
while($result = mysql_fetch_array( $data ))
{
echo $result['Account_Number'];
echo $result['Name'];
echo "<br>";
echo $result['Balance'];
echo "<br>";
echo "<br>";
}
$anymatches=mysql_num_rows($data);
if ($anymatches == 0)
{
echo "Sorry, but we can not find an entry to match your query...<br><br>";
}
//And we remind them what they searched for
echo "<b>Searched For:</b> " .$find;
//}
?>
please help, Thank you
Since the $find and $field are not defined, the query becomes:
SELECT * FROM memaccounts WHERE upper() LIKE'%%'
which makes mysql_query() return FALSE , as it is an incorrect query. (i.e. $data is FALSE). Therefore, mysql_fetch_array() and mysql_num_rows() fails with error as FALSE is supplied as input.
Hints:
to properly filtering the input, use mysqli_real_escape_string(). By the way, if your table collate is case insensitive, you do not need to change it to upper case.
You can always debug your codes by var_dump() , var_export(), echo or print_r() (depends on situation)
stop using deprecated mysql_* functions. use MySQLi or PDO instead.
your code is subjected to SQL Injection attack, as you directly allow POST values to be inserted in your query.
mysql_query() returns false if there was a SQL error. You have to check if $data is false before looping through results. An example to to this:
if (!$data) exit(mysql_error());
or just add "or die(mysql_error())" at end of mysql_query() line in same way as you did with connect and select_db.
It's likely there is an error on your query. Check that there isn't any typo on it.
I'd recommend to capture the query (echo it or log it) and then run it using any database client like phpmyadmin or heidisql.
The query will probably work, except when $find contains invalid characters. For instance, if it contains a quote (') then it will break your query.
You can use mysql_real_escape_string to solve this, although it's probably better to quit using the mysql* functions at all and switch to PDO. The mysql* functions are deprecated and will probably be removed in a future version of PHP.
Please check the query.
mysql_query() this function returns true or false to show query worked or not.
your result shows boolean means query failed.
use mysql_error()
for ex :-
$result=mysql_query('Your query');
if(!$res){
die(mysql_error()); //gives information regarding error
}