-1

I have an HTML form that lets the user write what they want to search for. In this case a Name.

The form works, but it's in the php. I don't know what I have to write to get MySQL to search the database for what the user has input.

Here is the line where I get stuck:

$result = mysql_query("SELECT * FROM {$table} WHERE name = 'What do i gonna write
here? (take away the ' ");

I'm using PHP 5.

Improve this question
2
  • Is the form method post or get? what is the input name? Do you need help with result output? Commented Aug 11, 2011 at 15:44
  • the form method is Post and the input name is : search And yes i need help with the Where Name = part Commented Aug 11, 2011 at 15:48

2 Answers 2

Reset to default
1

This should get you on your way using mysqli. The manual can be found here.

This assumes you are POSTing your form, otherwise you can change $_POST to whatever request variable you'll be using. Some sanity checking on the form variable before or after calling mysqli_real_escape_string would also be very helpful (required) in a production environment.

$db = new mysqli("localhost","user","password","database");

if(mysqli_connect_error())
{
    printf("Connection failed:%s \n",mysqli_connect_error());
    exit();
}

$name = mysqli_real_escape_string($db, $_POST['search']);
$table = 'some_table';

if($result = $db->query("SELECT * FROM $table WHERE name = $name", MYSQLI_ASSOC))
{
    while($row = $result->fetch_object())
    {
        // $row is an associative array
        // Do something here
    }
}
$db->close();
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks works great but how to output the result in a save way and if result = null part in mysql , thanks man i really appreciate your help and kindness :)
Your question was how to query the database, not how to output the result. Some research needs to be done on your part.
-2 
$sf = stripslashes($_REQUEST['search']);
$sf = mysql_real_escape_string($sf);


$result = mysql_query("SELECT * FROM {$table} WHERE name = '". $sf."'");
while($row = mysql_fetch_array($result)){
    //do stuff
}
Improve this answer

5 Comments

While this may work this is wildly dangerous and should never, EVER be used as an example. Google SQL injection.
The question wasnt how to secure from SQL injection, it was how to write the query only. I would (probably stupidly) assume anyone using mysql already knows to strip slashes and all that good stuff. read the question next time before you give -1
I would argue that because his question was so basic, he probably doesn't know. On top of that, someone else that knows nothing about PHP may stumble onto this.
Your disagreeing with my answer is fine, and so is a -1 IF you either a)provide a better example OR b) provide a link to a resource proving why another way should be used rather than using mysql_query. you are not god and we cannot jut take your word for it
That's valid, I was in the process of putting up an example.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.