I have a form where a user can type in the firstname to search, my query is not returning the correct results, what am I doing wrong?
$sfn = $_POST["Text1"];
$sql = "SELECT * FROM ex_usrs WHERE firstname LIKE '$sfn'";
...
-
2You really should escape the stuff you put in a query... Security, anyone?Tom van der Woerdt– Tom van der Woerdt2011-12-27 14:24:01 +00:00Commented Dec 27, 2011 at 14:24
-
I will start with that, thank you, it's for an internal site, but still, it has to be doneWilest– Wilest2011-12-27 14:25:47 +00:00Commented Dec 27, 2011 at 14:25
Add a comment
|
4 Answers
Maybe you should add %-signs to your keyword like this:
$sql = "SELECT * FROM ex_usrs WHERE firstname LIKE '%$sfn%'";
Comments
Your query will only return rows where firstname is equal to $_POST["Text1"]. When you use LIKE you can use a wildcard (%) to represent any number of characters.
This will find rows where
firstnamestarts with$_POST["Text1"].SELECT * FROM ex_usrs WHERE firstname LIKE '$sfn%'This will find rows where
firstnameends with$_POST["Text1"].SELECT * FROM ex_usrs WHERE firstname LIKE '%$sfn'This will find rows where
firstnamecontains$_POST["Text1"].SELECT * FROM ex_usrs WHERE firstname LIKE '%$sfn%'
Note: Never use variables from $_POST without escaping them first. What if I searched for "O'Neil" (or worse "'; DROP TABLE ex_users; -- ")?
Comments
You should use %searchterm% - include the % wildcards.
$sql = "SELECT * FROM ex_usrs WHERE firstname LIKE '%$sfn%'";
Comments
It should be
"SELECT * FROM ex_usrs WHERE firstname LIKE '%$sfn%'"
