-1

I am trying to sort images with a title that I have previously uploaded. However, I always get all the images in the database. Can someone help me with this. I am still a beginner in PHP

 <div class="container-gallery">
  <form class="form-horizontal" action="gallery.php" method="post">
  <label>Filter:</label>
  <input type="radio" name="video" value="Video" class="form-control">Videos
  <input type="radio" name="bücher" value="Bücher" class="form-control">Bücher
  <input type="radio" name="bilder" value="Bilder" class="form-control">Bilder
  <input type="submit" name="submit" value="Senden" class="form-control"></input>
.
</form>

    
      

      <?php 

        if(isset($_POST['submit'])){
          $video = $_POST['video'];
          $book = $_POST['bücher'];
          $pic = $_POST['bilder'];
          // Get images from the database
              $query = $conn->query("SELECT * FROM images WHERE title Like '%$video%' OR '%$book%' OR '%$pic%'");

              if ($query->num_rows > 0) {
                while ($row = $query->fetch_assoc()) {
                  $imageURL = 'upload/' . $row['file_name'];
                 ?> 
                 <img src="<?php echo $imageURL; ?>" alt="" width="300px" height="300px" />
                 <?php
              }
        }
        else{
          ?>
          <p>Data not Found</p>
          <?php
        }
      }
      ?>

    </div>
Dominik Hard
  • 1
  • 2
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman May 13 '21 at 14:20
  • Check the syntax for your LIKE operator. – Dharman May 13 '21 at 14:21
  • You can't chain `OR`s like that. You need to specify the field each time e.g. `title LIKE '%$video%;' OR title LIKE '%$book%' OR title LIKE '%$pic%'` – ADyson May 13 '21 at 14:27
  • I have changed it to SELECT * FROM images WHERE title Like '%$video%' OR title Like '%$book%' OR title Like '%$pic%' but it still does not work – Dominik Hard May 13 '21 at 15:52
  • @Dharman I will read about it and change – Dominik Hard May 13 '21 at 15:54
  • Here is a helpful tip: https://stackoverflow.com/questions/28385145/correct-way-to-use-like-var-with-prepared-statements-mysqli – Dharman May 13 '21 at 15:54
  • "does not work" isn't a useful description of your problem. Is there an error? Are you even checking for errors? Have you done any other debugging, like checking the content of your POST variables or the content of the final SQL string? – ADyson May 13 '21 at 18:09
  • @ADyson Yes I have checked the contents of the POST variables. Could not solve the problem. But I managed it with another tutorial. – Dominik Hard May 14 '21 at 13:27

0 Answers0