-2

Following on from a question I asked earlier (which was very helpfully answered - thanks) I have a follow on question.

I managed to put a form into my page which successfully linked to another page with filtered results. I then added another form directly below (as a second search filter) but the second one is not working. The code is:

<p style="margin-left:20px;">Search by:<br />
<form action="ordersfiltered.php" method="post">
order_no: <input type="int" name="order_no" />
<input type="Submit" />
</form>
<form action="ordersfiltered_name.php" method="post">
name: <input type="text" name="name" />
<input type="Submit" />
</form></p>

Like I say, if I enter an order_no into the first box and click 'Submit' then I do get to another page with the result filtered accordingly. But when if I enter a name into the second box, the page I get has all the table headings etc but no results. For reference, the relevant code I have on the "ordersfiltered.php" page is:

$result = mysql_query("SELECT * FROM orders WHERE order_no = " . $_POST["order_no"]);

(NB I realise that I should not use SELECT * - its on my list of things to change). This works fine.

The code I have on "ordersfiltered_name.php" is:

$result = mysql_query("SELECT * FROM orders WHERE name = " . $_POST["name"]);

Any ideas why the first one works but not the second?

Also - I would if possible like to amend it add something like WHERE name LIKE '%...%' in case the user doesn't type the whole thing.

Thanks again.

Improve this question
8
  • 3
    It may not help answer your question, but you should stop using mysql_* functions. They're being deprecated. Instead use PDO (supported as of PHP 5.1) or mysqli (supported as of PHP 4.1). If you're not sure which one to use, read this article. Commented Aug 24, 2012 at 16:59
  • @Matt I think you posted the exact same comment to the previous question... Commented Aug 24, 2012 at 17:05
  • He just spreads the word ... good job! (GO PDO) Commented Aug 24, 2012 at 17:06
  • 1
    @jeroen yeah, I lurk around answering the questions I can, and pointing out when people use deprecated functions. I'm here for the glory. I actually have the comment written down in notepad, so when the need arises, I just copy/paste. Commented Aug 24, 2012 at 17:12
  • 1
    Please read and follow the advice given in your other questions. It doesn't make sense to keep making the same mistake and keep asking us to tell you how to fix it. Commented Aug 24, 2012 at 18:44

2 Answers 2

Reset to default
0

You said that the previously asked question had some helpful answers, though you don't seem to use any of it: Using PHP forms in mysql queries (I'm not going to repeat all the valid points from there...).

That said, you are missing the quotes and escaping of the posted variable:

$result = mysql_query("SELECT * FROM orders WHERE name = '" . mysql_real_escape_string($_POST["name"])) . "'";
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This sort of thing is about a kabillion times easier with mysqli. It's true. I benchmarked it once and that's what it said. A kabillion.
0

I assume that it's related to the fact the order_no is a number and name is a string. Strings must be wrapped in quotes.

Therefore , change:

$result = mysql_query("SELECT * FROM orders WHERE name = " . $_POST["name"]);

to:

$name =  mysql_real_escape_string($_POST['name']);
$result = mysql_query("SELECT * FROM orders WHERE name = '". $name ."'");

You also would need to check that $_POST['name'] doesn't has any quotes.

EDIT 1.You can always use or die(mysql_error()) after your mysql commands. Then , you'll be able to see the reason why those commands don't work.

EDIT 2. It's extremely dangerous for you to use $_POST[..] in your query. You should check its value first and make sure you "clean" it up.

EDIT 3.Another note , consider moving to PDO.

Improve this answer

6 Comments

You're making a note about PDO, and then shamelessly slinging a $_POST variable directly into your SQL? Come on, you can do better than that. Don't post answers with gaping vulnerabilities in them no matter what was in the question. This is your answer, it's your code.
Do you want me to teach him how to use PDO ? It's the answer in his case , he is the one to consider if to use PDO or stay unsafe.
Thanks again. To be honest, this whole thing is for a university project and its locally hosted with dummy data - so I'm not really worried about attacks etc. Also I don't know what PDO is (I barely know what PHP/html/mysql is!) and at this point I'm just trying to get the thing working even if its far from perfect. Thanks guys
Academic or not, if you're doing it without escaping you're doing it the wrong way and you will experience confusing bugs when you insert data with ' in it. It's also a very bad habit to develop, not unlike like re-using syringes. "But I'm just in medical school," you say. Doesn't matter.
@OfirBaruch Yes, provide sample code using PDO. It isn't hard: stackoverflow.com/questions/12098031/…
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.