0

I've created a php search script to search a MySQL database but no search is returning results.

Form Code

<form method="post" action="search.php">
<input type="text" value="Search..." name="query" />
<input type="submit" value="Find" name="completedsearch" />
</form>

PHP Script

<?php
                    if(isset($_POST['completedsearch']))
                    {
                            $term = $_POST['query'];
                            $mysql = mysql_connect("localhost","searchuser","password");
                            mysql_select_db("hcsd");
                            $qu = mysql_query("SELECT * FROM your_table WHERE COMPANY LIKE '%{$term}%' OR LOCATION LIKE '%{$term}%' OR KEYWORDS LIKE '%{$term}%' OR PRODUCTSSERVICES LIKE '%{$term}%' ");
                            echo "
                                            <th>Name</th>
                                            <th>Location</th>
                                            <th>Products/Services</th>
                                            ";
                            while($row = mysql_fetch_array($qu))
                                       {

                                            echo "<tr><td>";  
                                            echo $row['COMPANY'];
                                            echo "</td>";
                                            echo "<td>";
                                            echo $row['LOCATION'];
                                            echo "</td>";
                                            echo "<td>";
                                            echo $row['PRODUCTSSERVICES'];
                                            echo "</tr></td>";
                            }
                    }
            ?>

The MySQL database has 4 columns, headed COMPANY, LOCATION, KEYWORDS & PRODUCTSSERVICES, and this script should be searching any of the columns for the search term and then displaying COMPANY, LOCATION and PRODUCTSSERVICES for any matching rows in a table, yet even using search terms I know 100% are in the MySQL table, I'm still receiving no results.

Improve this question
11
  • Take off the curly braces: Like '%$term%' Commented Nov 26, 2013 at 14:54
  • And check this out: SQL Injection Commented Nov 26, 2013 at 14:56
  • At the end, you swapped </tr> and </td>, it should echo "</td></tr>" I think - you might have to look into your generated html code Commented Nov 26, 2013 at 14:56
  • removed the curly brackets, still not returning results Commented Nov 26, 2013 at 14:57
  • Is the table you are selecting from really called 'your_table' ? Commented Nov 26, 2013 at 15:00

2 Answers 2

Reset to default
1

I'm not sure the curly braces are helping here...

Replace

 $qu = mysql_query("SELECT * FROM your_table WHERE COMPANY LIKE '%{$term}%' OR LOCATION LIKE '%{$term}%' OR KEYWORDS LIKE '%{$term}%' OR PRODUCTSSERVICES LIKE '%{$term}%' ");

With

 $qu = mysql_query("SELECT * FROM your_table WHERE COMPANY LIKE '%".$term."%' OR LOCATION LIKE '%".$term."%' OR KEYWORDS LIKE '%".$term."%' OR PRODUCTSSERVICES LIKE '%".$term."%'");

You should escape the input as well

 $qu = mysql_query("SELECT * FROM your_table WHERE COMPANY LIKE '%".mysql_real_escape_string($term)."%' OR LOCATION LIKE '%".mysql_real_escape_string($term)."%' OR KEYWORDS LIKE '%".mysql_real_escape_string($term)."%' OR PRODUCTSSERVICES LIKE '%".mysql_real_escape_string($term)."%'");

Also consider using the more recent mysqli_ functions

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Accepted this answer due to the help adding the input escape and @Chris Wheeler answering my question in his comment above.
+1 to improve this request. The best I thing is to use PDO and use prepare request or recent mysqli as @Chris Wheeler suggested. It's more secure. Recommended by PHP Doc: php.net/manual/fr/function.mysql-escape-string.php
It's not "additional security", it's writing it properly. Failing to escape will lead to all kinds of bugs if user data contains characters like '.
1

What is the name of your table ?

You should try your request in phpmyadmin or anything software you use for manage your DB and see the results. If not result, there is probably an error in your request.

Improve this answer

2 Comments

The table is called Sheet1 Didn't think of that, I'll give it a go
+1 for asking about the table name, slightly before I did I think :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.