Sohan Sonar Sohan Sonar - 22 days ago 9
PHP Question

how to get table filtering accessible

I am trying to do table filtering using following code : Table is showing with all th inputs but when i select any name to search it is not accessible

<?php
if ($_REQUEST["string"]<>'') {
$search_string = " AND (full_name LIKE '%".mysqli_real_escape_string($_REQUEST["string"])."%' OR email LIKE '%".mysqli_real_escape_string($_REQUEST["string"])."%')";
}
if ($_REQUEST["city"]<>'') {
$search_city = " AND city='".mysqli_real_escape_string($_REQUEST["city"])."'";
}

if ($_REQUEST["from"]<>'' and $_REQUEST["to"]<>'') {
$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE from_date >= '".mysqli_real_escape_string($_REQUEST["from"])."' AND to_date <= '".mysqli_real_escape_string($_REQUEST["to"])."'".$search_string.$search_city;
}
else if ($_REQUEST["from"]<>'') {
$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE from_date >= '".mysqli_real_escape_string($_REQUEST["from"])."'".$search_string.$search_city;
}
else if ($_REQUEST["to"]<>'') {
$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE to_date <= '".mysqli_real_escape_string($_REQUEST["to"])."'".$search_string.$search_city;
}
else
{
$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE id>0".$search_string.$search_city;
}

$sql_result = mysqli_query ($connection,$sql) or die ('request "Could not execute SQL query" '.$sql);
if (mysqli_num_rows($sql_result)>0) {
while ($row = mysqli_fetch_assoc($sql_result)) {
?>
<tr>
<td><?php echo $row["from_date"]; ?></td>
<td><?php echo $row["to_date"]; ?></td>
<td><?php echo $row["full_name"]; ?></td>
<td><?php echo $row["email"]; ?></td>
<td><?php echo $row["city"]; ?></td>
</tr>
<?php
}
} else {
?>
<tr><td colspan="5">No results found.</td>
<?php
}
?>
</table>


What i want to do is when user selcts any city from drop-down or gives any name for search it should be found after clicking on filter option

Please help to resolve

Answer

Because mysqli_real_escape_string() needs two parameters. first one should be link identifier and second one is your input.

But still, note that, your code is open for SQL injection, you must need to prevent your code with SQL attack, you can use Prepared Statement.

This will help you to prevent SQL attack: How can I prevent SQL injection in PHP?

Even, mysqli_real_escape_string() is not sufficient for all cases read this: PHP: Is mysql_real_escape_string sufficient for cleaning user input?