Search query with variable returns data with empty value

Hi there,

I’ve created a form so I can search/find products but when I submit the form with no value in it…it returns data from the database…and for the life of me I can’t see why…

<?php
require_once '../connection/dbconfig.php';

include_once('../connection/connectionz.php');
//get the values
$search_products = htmlspecialchars($_POST['search_products']);


if(isset($_POST['submit'])) {
	echo $search_products;

	$sql = "SELECT * FROM `product` WHERE `des` LIKE '%".$search_products."%' ";
	$result = mysqli_query($conDB, $sql);
	echo $sql;


	if (mysqli_num_rows($result) > 0) {
		while($row = mysqli_fetch_array($result)) {
		   echo "Name: " . $row["name"]. "<br>";
		}
	 } else {
		echo "0 results";
	 }
}


;?>

<form method="post" style="border:1px solid red;padding:.5em;">
<label for="search_products">Search for a product</label>
<input type="text" name="search_products" />
<input 
style ="border:1px solid red;font:uppercaser;"
type="submit" name="submit"  />
</form>

Any pointers will be greatly appreciated, thank you.

Darren

Because you are doing a like, and you should be doing a like.

You need to see if the length of the string is enough to narrow down the list. so ensure at least one character is in the query.

Also, prepared statements…

Hi there,

Thanks for your reply and I’ve gone away, performed some research and like to think I’ve improved the code ever so slightly in regards to prepared statements.

if($_POST['submit']){
	$search_products = htmlspecialchars($_POST['search_products']);
	$new_search_products = "%" . $search_products . "%";
	
	if(empty($search_products)){
		echo '<h4>You must type a word to search!</h4>';
	}else{
		$make = '<h4>No match found!</h4>';
		'%$search_products%';

		$sql = "SELECT * FROM product WHERE name LIKE ?";
		//prepared statement
		$stmt = mysqli_stmt_init($conDB);
		//prepare prepared statements
		if(!mysqli_stmt_prepare($stmt,$sql)) {
			echo "SQL Statement failed";
		}else{

			//bind parameters to the placeholder
			mysqli_stmt_bind_param($stmt, "s", $new_search_products );
			mysqli_stmt_execute($stmt);

			$result = mysqli_stmt_get_result($stmt);
			echo'<h2> Search Result</h2>';
			while($row = mysqli_fetch_assoc($result)){
			echo '<h4> Id						: '.$row['pid'];
			echo '<br> name						: '.$row['name'];
			echo '</h4>';
		}
	}

}
	}

Again, any improvements will be greatly appreciated.

Thanks
Darren

You need the check the REQUEST METHOD, not hope the name of a button is submitted for the script to work.

htmlspecialchars is an output function.

Why is %$search_products%’; just floating out in space? ’

Hi there,

Thanks for the pointers. I’ve taken in what you’ve mentioned and I’ve updated script.

%$search_products%’; was floating in space because I wanted to test it, it was commented out of the script by duly noted, it has been removed and no longer floating…

$submit = $_POST['submit'];

//Get the request method from the $_SERVER
$requestType = $_SERVER['REQUEST_METHOD'];
//this is what type
//echo $requestType ;

if($requestType == 'POST') {
	//echo 'is it post?';


if(isset($submit)){

	//message vars

	$search_products = htmlspecialchars($_POST['search_products']);
	
	$new_search_products = "%" . $search_products . "%";


	if(empty($search_products)){
		echo '<h4>You must type a word to search!</h4>';
	}else{
		$make = '<h4>No match found!</h4>';
		

		$sql = "SELECT * FROM product WHERE name LIKE ?";
		//prepared statement
		$stmt = mysqli_stmt_init($conDB);
		//prepare prepared statements
		if(!mysqli_stmt_prepare($stmt,$sql)) {
			echo "SQL Statement failed";
		}else{

			//bind parameters to the placeholder
			mysqli_stmt_bind_param($stmt, "s", $new_search_products );
			mysqli_stmt_execute($stmt);

			$result = mysqli_stmt_get_result($stmt);
			echo'<h2> Search Result</h2>';
			
			echo 'You searched for <strong><em>'. htmlspecialchars($search_products).'</em></strong>';
			while($row = mysqli_fetch_assoc($result)){
			echo '<h4> (ID						: '.$row['pid'];
			echo ') Book Title						: '.$row['name'];
			echo '</h4>';
		}
	}

}
	}

}

Any further pointers would be greatly appreciated.

Thanks
Darren

Stop creating variables for nothing.

htmlspecialchars is for data OUTPUT. It has no business where you are using it.

Get rid of the if submit

Trim the POST array, THEN check for empty

I would also recommend you use PDO. This will get you going
https://phpdelusions.net/pdo

So I’ve updated my code this now.

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
  //now trim all $_POSTS
  $search_products = trim($_POST['search_products']);
  
  //how can trim the posts if there was multiple inputs from the form


  if (empty($search_products)) {
    echo '<h4>You must type a word to search!</h4>';
  } else {
    $search_products = filter_var($search_products, FILTER_SANITIZE_STRING);
    $new_search_products = "%" . $search_products . "%";
    $sql = "SELECT * FROM product WHERE name LIKE ?";
    //prepared statement
    $stmt = mysqli_stmt_init($conDB);
    //prepare prepared statements
    if (!mysqli_stmt_prepare($stmt, $sql)) {
      echo "SQL Statement failed";
    } else {
      //bind parameters to the placeholder
      mysqli_stmt_bind_param($stmt, "s", $new_search_products);
      mysqli_stmt_execute($stmt);
      $result = mysqli_stmt_get_result($stmt);
      $number_of_rows = mysqli_num_rows($result);

		


			echo'<h2> Search Result</h2>';
			
			echo 'You searched for <strong><em>&quot;'. $search_products.'&quot;</em></strong>';
			echo '<br />&nbsp; <strong>'.$number_of_rows. '</strong>';
			
			if($number_of_rows == 1) {
				echo '&nbsp;match found';
			}elseif($number_of_rows > 1) {
				echo '&nbsp;matches found';
			}elseif($number_of_rows == 0) {
				echo '&nbsp;no match found';
			}
			
			while($row = mysqli_fetch_assoc($result)){
				
			echo "<h4><a href='pedit.php?pid=";
			echo $row['pid'];
			echo "'>";
			echo 'Book Title						: '.$row['name'];
			echo '</a>';
			echo '</h4>';
			
		}
	}

}
	}



;?>