I've got a search form where the user can search for a serial number or name of product.
Here's my code:
<?php
require_once "pdo_rothConn.php";
if (isset($_POST['searchText'])){
$sql = "SELECT m_ipdb, m_name FROM machine WHERE 'm_ipdb' LIKE :number OR 'm_name' LIKE :name";
$stmt = $dbh->prepare($sql);
$stmet->execute(array(
':number' => $_POST['searchText'],
':name' => $_POST['searchText']));
while ( $row = $stmt->fetch(PDO::FETCH_ASSOC) ) {
echo($row['m_ipdb']);
echo($row['m_name']);
}
?>
<p>Search for a Machine</p>
<form method="post">
<table width="500" border="1">
<tr>
<td>Enter IPDB Number or Name:</td>
<td><input name="searchText" type="text" id="searchText" /></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Search Database"></td>
<td><a href="#">Cancel</a></p></td>
</tr>
</table>
</form>
</body>
</html>
First, is there a more concise way I can write my SQL statement since the $_POST value I'm searching for is the same? I wasn't sure if there as an error in my SQL statement also with the multiple LIKE statements.
As of now the resulting page is coming up blank and not working at all. I thought of splitting the code into a page and processing page instead of a post-back page. I'm stuck. But I asked this question before I learned about PDO and prepared statements and got feedback to learn about prepared/parameterized statements. Is the resulting code properly protecting against SQL injection as well?
Thanks.
LIKEin a single query is an error – Carl BinallaLIKEto search within your fields? If so, you're missing the wildcard characters. Try like this...LIKE CONCAT('%', :number, '%')– Phil