Error Search PHP and MySQL Database

2

I am making a page that looks for information in tables of a MySQL database, the connection is beautiful, but two errors are appearing:

  

Warning: mysqli_stmt :: bind_param (): Number of variables does not match number of parameters in prepared statement in ** / home / ---- / public_html / search.php on line 7

     

Warning: mysqli_fetch_array () expects parameter 1 to be mysqli_result, object given in ** / home / ---- / public_html / search.php on line 15

My php code looks like this:

<?php

include ('conecta.php');

$pesquisa_rapida = $_POST["txtpesquisa"];
$sql=$mysqli->prepare("SELECT * FROM tabela WHERE nm_candidato LIKE '%".$pesquisa_rapida."%'");
$sql->bind_param("s",$pesquisa_rapida);

$sql->execute();
$sql->store_result();
$result=$sql->affected_rows;

if ($result > 0){

        while($linha = mysqli_fetch_array($sql)){
           $nm_candidato = $linha['nm_candidato'];        
           $nm_candidatura = $linha['nm_candidatura']; 
           $ds_cargo = $linha['ds_cargo'];
           echo "<strong>Nome: </strong>".@$nm_candidato;
           echo "<br /><br />"; 
           echo "<strong>Nome Candidatura: </strong>".@$nm_candidatura;
           echo "<br /><br />"; 
           echo "<strong>Cargo: </strong>".@$ds_cargo;
           echo "<br /><br />"; 
        }
}
else {
    echo "Desculpe, nada foi encontrado";
}   
?>
    
asked by anonymous 29.03.2016 / 17:22

3 answers

3

Your code binds a value but no placholder ( ? ) has been passed in the query, also the wildcards ( % or _ ) in the variable with the term to be searched and not in sql. The second error is caused by the first one to fix this and to use sql injection change the variable by an interrogation:

Change:

$sql=$mysqli->prepare("SELECT * FROM tabela WHERE nm_candidato LIKE '%".$pesquisa_rapida."%'");

To:

$pesquisa_rapida = '%'. $_POST["txtpesquisa"] .'%';
$sql=$mysqli->prepare("SELECT * FROM tabela WHERE nm_candidato LIKE ?");
$sql->bind_param("s",$pesquisa_rapida);
$res = $sql->get_result();
$result=$sql->affected_rows;

while($linha = $res->fetch_assoc()){
   //demais linhas
}
    
29.03.2016 / 17:25
1

Change the line:

while($linha = mysqli_fetch_array($sql)){

To

while($linha = mysqli_fetch_array($result)){

Why do not you use num_rows?

    
29.03.2016 / 18:18
0

Thank you for your help. It looks like this:

<?php

    include ('conecta.php');

    $pesquisa = '"%'. $_POST["txtpesquisa"] .'%"';

    $connection = mysqli_connect($host, $user, $pass,$database);
     if (!$connection) {
     echo ("Erro ao conectar!"); 
    }

    $query = "SELECT * FROM tabela "
            . "WHERE nome LIKE ".$pesquisa."";
    $result =  mysqli_query($connection,$query);
    if (!$result) {
      die("Query invalida");
    }

    while ($linha=  mysqli_fetch_array($result,MYSQLI_ASSOC)) {

    if ($result > 0){
        echo "Nome: $linha[nome]<br />"; 
        echo "<hr>";

    }
    else {
        echo "nada foi encontrado";
    }
    }
   ?>
    
29.03.2016 / 21:05