Jquery Autocomplete

Hi,

Good day!

I created a search box and my problem is when I type Employee ID the auto list displayed is Employee Name, I need to display on the list is based on what I type. I don't know if it is possible that in one search box I can search Employee name then the list of names will display, when I type Employee ID, employee id list will display. same with Passport no and res id.

Now, when I type Employee Id or Passport No or res id and employee name. the displayed list is employee name.

this is my code:

<script type="text/javascript" src="js/jquery.js"></script>
     <script type='text/javascript' src='js/jquery.autocomplete.js'></script>
     <link rel="stylesheet" type="text/css" href="js/jquery.autocomplete.css" />
<script type="text/javascript">
//----auto complete emp no--//

$().ready(function() {
  $("#search_data").autocomplete("get_emp_info.php", {
  width: 237,
    minLength: 3,//search after three characters
  matchContains: true,
  mustMatch: true,
  selectFirst: false
  });
   
  });
</script>

  <table>
     <tr>
     <td style="border: none;color:#80600a;font-weight:bold;">Search:</td>
     <td><input type="text" name="search_data" id="search_data" value="" size="35" autofocus></td>
     </tr>
     </table>

Code (markup):

<?php
ob_start();
include('includes/connection.php');
$q = strtolower($_GET["q"]);

if ($q == '') {
  header("HTTP/1.0 404 Not Found", true, 404);

}
//else (!$q) return;
else{
$sql = "SELECT pe.employee_no, pe.employee_name, pe.passport_no,
   gov.res_id
   FROM tbl_personal_info AS pe JOIN tbl_public_info AS pu ON (pe.employee_no = pu.employee_no) JOIN tbl_e_government_info AS gov ON (pu.employee_no = gov.employee_no)
   WHERE pe.employee_no LIKE '%".$q."%' OR pe.employee_name LIKE '%".$q."%' OR pe.passport_no LIKE '%".$q."%' OR gov.res_id LIKE '%".$q."%'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
  // output data of each row
  while($row = $result->fetch_assoc()) {
     $pid = $row["employee_no"];
     $employee_name = $row["employee_name"];
     $passport_no = $row["passport_no"];
     $res_id = $row["res_id"];
 
     
     echo "$employee_name|$pid|$passport_no|$res_id\n";
   }
} else {
  echo "0 results";
}
$conn->close();  
}
?>

Code (markup):

 

Well, the script is horribly insecure, as you're pasting user-input (the searchquery variable) directly into the SQL-query. VERY bad practice. Also, the code for the search-box is horrible, and shold be fixed.
However, the result shown should match - since you don't provide any info about how the autocomplete-javascript function works, there's no way for us to know how the echoed result is interpreted. It looks a bit weird that it should return results with a | as limiter, but that might be some weird hack by the writer of the script. I'd return JSON, and decode it on the receiving end, but to each his own.

 

What @PoPSiCLe said -- + over 9000.

What makes labels and inputs a table? Where even IS your label? (You do know there's a tag for that, right?)

... and assuming $conn is either a PDO or mysqli object, you should be using prepared queries, not blindly pasting values into it and using the ->query method.

As to isolating different values, a separate select to say what is being searched for might be in order -- you could also do some form of prefix; a single letter or symbol to say what's being looked for -- not very intuitive, but also very powerful.

 

I am using mysqli Sir.

I'm not familiar with json decode.

my jquery function works like this:

when I type on the search box he will gets the list data suggested on the database.

I think the reason why even I type employee no the employee name still appear:

echo "$employee_name|$pid|$passport_no|$res_id\n";

because the first echo is the employeename.

 

q=';drop table;

 

What is this Sir?

Thank you.

All I need is a search box where I can search anything from database like google.

 

This is an example of a SQL injection, which your code looks vulnerable to. You should definitely check this out before you publish the code because it's very insecure and someone could delete your database.

https://www.owasp.org/index.php/SQL_Injection