I am trying to show fields from a DB depending on a search
The search criteria will be in the adress bar (e.g /search_results.php?q=tea if the user searches tea)
here is my code:
<?php
$name=$_GET["q"];
if ($name<="0"){echo( "You did not enter a search");
}
else
{
$con = mysql_connect("localhost","cl49-XXX","XXX");
if (!$con)
{
die('Could not connect: line 513 ' . mysql_error());
}
mysql_select_db("cl49-XXX", $con)or die( "Unable to select database");
$result=mysql_query("SELECT * FROM products WHERE $name LIKE '$prodname%' ")or die('Error: Line 519' );
$row = mysql_fetch_array($result);
$prodID=$row['prodID'];
$prodname=$row['prodname'];
$catagory=$row['catagory'];
}
echo" $prodID , $prodname, $catagory ";
?>
When running the code i get
Error: Line 519
First of all, be aware with the sql injection. You are inserting a variable from $_GET array directly into the query.
About the error, it looks like $name contains not supported characters like spaces, or maybe the products table does not exists.
You can put the table name between "`" characters, and in order to see the error you could change the line by this:
$result=mysql_query("SELECT * FROM products WHERE `$name` LIKE '$prodname%' ")or die('Error: Line 519 ('.mysql_error().')' );
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments