kumerbakul I don't want to show search value in url
The main point of the WWW part of the Internet is for people to post content for others to find. If someone finds something they need or like and want to return to that content, the URL is supposed to uniquely correspond to that content so that they can bookmark the URL and/or share that URL and be able to return to that same content. By using $_POST
for searching, this is not possible. Are you sure you want to prevent the user's to your site from being able to use the Internet the way it was designed?
As to why this is not working, have you used print_r() on the inputs and have you echoed the $sql query statement so that you can see what they actually are? You would need to post all the relevant code - the form, the safe_value() function (did you change it to use $_POST?), all the code querying the database (what does your code do when there is no search input?), and the code producing the output from the query for anyone here to be able to help.
Some points about this code, in addition to not using $_POST for searching -
- This code is using the mysqli_escape_string() function. If you haven't set the character set when you make the database connection to match your database table's character set, is it possible for sql special characters in a value to break the sql query syntax, which is how sql injection is accomplished. You should instead use a prepared query. This will provide fool-proof protection for all data types, not just strings. To use a prepared query, you would just build an array of input parameters, including any search wild-card characters at the same point the $wheres array is being built, then supply this array of input parameters to the prepared query.
- If it seems like using the mysqli extension is overly complicated and inconsistent, especially when dealing with prepared queries, it is. This would be a good time to switch to the much simpler and more modern PDO extension.
- You should be using exceptions for database error handling (this is the default setting now in php8+) and in most cases simple let php catch and handle any database exception, where php will use its error related settings to control what happens with the actual error information, via an uncaught exception error (database errors will 'automatically' get displayed/logged the same as php errors.)
- Don't use or die(....) for error handling as this will unconditionally output the raw database errors onto a web page, giving hackers useful information when they intentionally do things that trigger errors. Also, mysqli_error() requires the connection variable as a parameter. Both of these problems will go away when you switch to using exceptions for database statement errors or you use php8+, which uses exceptions for database statement errors by default.
- If a search query doesn't match any rows of data, you should output a message stating so, rather than to output nothing.
- Because the $column name being dynamically added to the sql query syntax could end up being an sql keyword, it should be enclosed in back-tacks to prevent breaking the sql query syntax (edit which was being used in the original code, but which you didn't include in your code.)