#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    11
    Rep Power
    0

    Will not show results


    Hello,
    I'm having a little problem with my script showing the search results. Anyone have any idea what i'm doing wrong here? when i do a search nothing will come back at all even if the ticket number is in the database.
    thank you.

    PHP Code:
    <?php
    require("db.php");
    $error="";
    $term $_POST['term'];
    if (isset(
    $_POST['submit'])){
     if(empty(
    $_POST['term']))
     {
     
    $error="Please enter a Ticket Number.";
     }
     else
    {
    $query "SELECT department, subject, message FROM supporttickets Where ticketnumber LIKE '$term'";
    $query_params = array(
    ':term' => $_POST['term'],
    ':department' => $department,
    ':subject' => $subject,
    ':message' => $message,
    ':ticketnumber' => $ticketnumber
    );
      
    $stmt $db->prepare($query);
        
    $result $stmt->execute($query_params);
        
    $result $stmt->setFetchMode(PDO::FETCH_NUM);
      while (
    $rows $stmt->fetch($result)) {
      }
     }
    }
    ?><form action="test.php" method="post">
    <input type="text" name="term" size="54" /><br />
    <input type="submit" name="submit" value="Submit" />
    </form>
    <?php echo htmlentities($error);?>
    <?php 
    echo htmlentities($rows['department'], ENT_QUOTES'UTF-8'); ?> <?php echo htmlentities($rows['subject'], ENT_QUOTES'UTF-8'); ?> 
    <?php echo htmlentities($rows['message'], ENT_QUOTES'UTF-8'); ?>
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    this makes no sense whatsoever.

    You insert $term directly into the query (which makes it vulnerable to SQL injection), and at the same time you pass nonexisting values to nonexisting parameters. You fetch the rows, but you don't do anything with them. The loop body is empty, which means the rows just get discarded.

    Your whole screen should be flooded with error messages. If it isn't, you need to turn your error reporting back on.

    And then take a deep breath, get clear about what you want to do, write the code step by step and test each step. Don't just write down a bunch of statements in the hopes that they'll do something.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Originally Posted by mrbrin
    Hello,
    I'm having a little problem with my script showing the search results. Anyone have any idea what i'm doing wrong here? when i do a search nothing will come back at all even if the ticket number is in the database.
    thank you.
    I think you might be confused over the direction that $query_params is intended to work. That's for putting variable values INTO the query string; not for defining the variable names the results should go to (which it looks like you're maybe trying to do...)

    PHP Code:
    $query "SELECT department, subject, message FROM supporttickets Where ticketnumber LIKE :term";
    $stmt $db->prepare($query);
    $stmt->execute(array(':term' => $_POST['term']));
    while (list(
    $department,$subject,$message) = $stmt->fetch(PDO::FETCH_NUM)) {
        print 
    "Has $department $subject $message\n";

  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2012
    Posts
    11
    Rep Power
    0
    Thanks for the help!

IMN logo majestic logo threadwatch logo seochat tools logo