Quote:
$query = "SELECT ISO_id, height, weight, gender, sport FROM Cyclist WHERE ISO_id LIKE '%sumbit%'" ;
Not like that!
Thankfully, you haven't inserted anything into the SQL query to represent the search value. If you had, you would have introduced a
SQL Injection[
^] vulnerability.
You need to use a prepared statement:
PHP: Prepared statements and stored procedures - Manual[
^]
$ISO_id = $_GET['country ISO_id'];
$query = "SELECT ISO_id, height, weight, gender, sport FROM Cyclist WHERE ISO_id LIKE ?";
$stmt = $conn->prepare($query);
$result = $stmt->execute(["%$ISO_id%"]);
NB: It's usually best to avoid spaces in the
name
attribute of your form controls.
In your
printf
statement, you're only printing two values from the record - the height and weight.
PHP: printf - Manual[
^]
Depending on where the data comes from, you may also need to HTML-encode the values when you write them out, to avoid a persisted cross-site scripting vulnerability.
Cross Site Scripting (XSS) | OWASP[
^]
PHP: htmlspecialchars - Manual[
^]