search data from html input in mysql

I want to get data from my database (mysql) and show it on the website, the script schould be save.

This is the struture of files I have already:

/includes
    db_connect.php
    functions.php
    getdata.php
    logout.php
    process_login.php
    psl-config.php
    register.inc.php
/js
    forms.js
    sha512.js
login.php
protected_page.php
register.php
register_success.php
seach.php

Now follow the important files: psl-config.php

<?php
/**
 * Das sind die Login-Angaben für die Datenbank
 */  
define("HOST", "localhost");     // Der Host mit dem du dich verbinden willst.
define("USER", "sec_user");    // Der Datenbank-Benutzername. 
define("PASSWORD", "eKcGZr59zAa2BEWU");    // Das Datenbank-Passwort. 
define("DATABASE", "secure_login");    // Der Datenbankname.

define("CAN_REGISTER", "any");
define("DEFAULT_ROLE", "member");

define("SECURE", FALSE);    // NUR FÜR DIE ENTWICKLUNG!!!!
?>

The db_connect.php

<?php
include_once 'psl-config.php';   // Da functions.php nicht included ist
$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
?>

This is my search.php

<?php
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';

sec_session_start();
?>
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Secure Login: Protected Page</title>
        <link rel="stylesheet" href="styles/main.css" />
    </head>
    <body>
        <?php if (login_check($mysqli) == true) : ?>
            <p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>

            <h3>Search  Contacts Details</h3> 
            <p>You  may search either by first or last name</p> 
            <form  method="post" action="search.php?go"  id="searchform"> 
                <input  type="text" name="name"> 
                <input  type="submit" name="submit" value="Search"> 
            </form>
        <?php else : ?>
            <p>
                <span class="error">You are not authorized to access this page.</span> Please <a href="login.php">login</a>.
            </p>
        <?php endif; ?>
    </body>
</html>

Where should I put my textbox entry to make a safe search for my website? Is my code safe to use?

This is my sql command: SELECT * FROM produckte WHERE beschreibung = $search LIMIT 100;

I want to print the result on the search website.

Solution 1:

first, change your input-search's name to 'search':

<input  type="text" name="search">

You are sending your form, to the same .php file, using the 'POST' method. This means you can access what ever information being sent to the page, by accessing the $_POST variable.

Add this to the top of your search.php file, inside the <?php ?> tags:

if (isset($_POST['search']) {
  echo $_POST['search'];
}

this will give you the idea of how to handle data being post from a <form>.

Have a look at this PHP doc, regarding dealing with forms.

mysqli allows you to use prepared-statements, which is a safe way to pass user-input to database-queries.

An example on how to query DB with prepared statments:

if (isset($_POST['search']) {
  $stmt = $mysqli->prepare("SELECT * FROM produckte WHERE beschreibung = ? LIMIT 100;")
  $stmt->bind_param("s", $_POST['search']);
  $stmt->execute();

  $result = $stmt->get_result();
  while ($row = $result->fetch_array(MYSQLI_NUM))
  {
    .....handle your data here....
  }
  $stmt->close();
}