How to perform live search using ajax, PHP, and mysql

Question

0.00/5 (No votes)

See more:

I am trying to perform a live search using Ajax,PHP, and MYSQL. The code I have is working. However, the main problem is I can't redirect the user to their profile page once I found the user within the database. I checked the console.log and it has a link to the their profile page. This is the results https://imgur.com/a/I8tXMvH

HTML

HTML

<div class="inner-addon left-addon">
          
          <input class="form-control" type ="text" id ="search"  placeholder="Search for employees..." onkeyup="search(this.value)">
          <div id ="results"></div>
      </div

Ajax Code

JavaScript

      function search(value) {
      if(value.length == 0) 
      {
        $("#results").html("");
      } else {

        $.post("employees.php", {search:value}, function(data){
          $("#results").html(data);
        });
 }
}

PHP Code

PHP

    $search = $_POST['search'];
  $query =" SELECT * FROM employees WHERE firstName LIKE '%$search%' OR lastName LIKE '%$search%'";
   $query = mysqli_query($connect,$query);
  while($row= mysqli_fetch_array($query)){
    echo "<div>";
    echo $row['firstName']."  ".$row['lastName'];
    echo "<a href='profile.php?userId=" . $row["id"] . "'>"; //this is not working
    echo "</div>";

}

User Profile code

PHP

<?php
 $userId = ($_GET['userId']);
    
$query = "SELECT firstName, lastName, middleName, gender, ssn, dob, organization, department, iden, position, salary,health, dental,vision, addressOne, addressTwo, apt, city, _state, zipcode, phone, email FROM employees WHERE id = {$userId}";
$results = mysqli_query($connect, $query);

   while($row = mysqli_fetch_array($results)) {
       $firstName = $row['firstName'];
       $lasttName = $row['lastName'];
       $middletName = $row['middleName'];
       $gender = $row['gender'];     
?>

What I have tried:

I have tried everything and I just can't figure it out.

Posted 22-Oct-18 9:04am

Member 14028652

Updated 23-Oct-18 3:29am

Add a Solution

2 solutions

Solution 1

PHP

$query =" SELECT * FROM employees WHERE firstName LIKE '%$search%' OR lastName LIKE '%$search%'";

Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]

Posted 22-Oct-18 9:32am

Patrice T

Comments

Member 14028652 22-Oct-18 15:42pm

Is this the the cause to my problem?

Patrice T 22-Oct-18 15:46pm

you have 6 links at the end of solution, have a good reading.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2018-10-23T03:29:00

You have an empty <a> element, which the user will not be able to click on.

Move the opening tag before the name, and add a closing tag:

PHP

echo "<div>";
echo "<a href='profile.php?userId=" . htmlspecialchars($row["id"]) . "'>";
echo htmlspecialchars($row['firstName'])."  ".htmlspecialchars($row['lastName']);
echo "</a>";
echo "</div>";

NB: Use htmlspecialchars[^] to avoid persisted cross site scripting (XSS) attacks[^].

And don't ignore the SQL Injection vulnerabilities that Patrice mentioned.