The following example creates a prepared statement that selects a specific album from the database. DB.Prepare returns an sql.Stmt representing a prepared statement for a given SQL text. You can pass the parameters for the SQL statement to Stmt.Exec, Stmt.QueryRow, or Stmt.Query to run the statement.

// AlbumByID retrieves the specified album.
func AlbumByID(id int) (Album, error) {
    // Define a prepared statement. You'd typically define the statement
    // elsewhere and save it for use in functions such as this one.
    stmt, err := db.Prepare("SELECT * FROM album WHERE id = ?")
    if err != nil {
        log.Fatal(err)
    }

    var album Album

    // Execute the prepared statement, passing in an id value for the
    // parameter whose placeholder is ?
    err := stmt.QueryRow(id).Scan(&album.ID, &album.Title, &album.Artist, &album.Price, &album.Quantity)
    if err != nil {
        if err == sql.ErrNoRows {
            // Handle the case of no rows returned.
        }
        return album, err
    }
    return album, nil
}

That's because you're returning $user in the first iteration of while loop itself, the loop won't even go on for the 2nd iteration. Plus, you're also closing the statement object $stmt->close(); in the first iteration itself. Instead your code block should be like this:


// your code
if ($stmt->execute()) {
    $result = $stmt->get_result();
    $usersArr = array();
    while ($user = $result->fetch_assoc()){
        $usersArr[] = $user;
    }
    $stmt->close();
    return $usersArr;
} else {
    return NULL;
}
// your code

What all these variables are for? How you're going to call this function - a list of gibberish SQL stubs in a random order instead of plain and simple SQL string? And how to designate a list of columns to select? How to use JOINS? SQL functions? Aliases? Why can't you just write a single SQL statement right away? You already have a function for selects, though without this barbaric error reporting code you added to it:


function prepared_query($mysqli, $sql, $params, $types = ""){
    $types = $types ?: str_repeat("s", count($params));
    $stmt = $mysqli->prepare($sql)) { 
    $stmt->bind_param($types, ...$params);
    $stmt->execute();
    return $stmt;
}

Here's how you can do it:


<?php
// Create connection
$mysqli = new mysqli("localhost", "id16390447_mukund", "Go?QuMVC^Yx8}QzV", "id16390447_das");

// Check connection
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: ".$mysqli->connect_error;
    exit();
}

// sql to delete a record
$phone = $_POST['phone'];

// Using prepared statements to avoid SQL injections...
$stmt = $mysqli->prepare("DELETE FROM PHONENO WHERE phone = ?");
$stmt->bind_param("s", $phone); // put i if you're storing your phone number as an integer
$stmt->execute();

if($stmt->affected_rows){
    $ph=(int)$phone;

    $curl = curl_init();
    $msg="Your appointment with Dr.Phaniraj is cancelled.";
    curl_setopt_array($curl, array(
        CURLOPT_URL => "https://www.fast2sms.com/dev/bulk?authorization=urFfV4mgSqRyNAH7M9cItCjedvYo5h8x6aDsLip3wKTO1GkzEXZYFspaQL1MAkjiPWy9GrCw34Kov5tx&sender_id=CHKSMS&message=".urlencode($msg)."&language=english&route=p&numbers=".$ph,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_ENCODING => "",
        CURLOPT_MAXREDIRS => 10,
        CURLOPT_TIMEOUT => 30,
        CURLOPT_SSL_VERIFYHOST => 0,
        CURLOPT_SSL_VERIFYPEER => 0,
        CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
        CURLOPT_CUSTOMREQUEST => "GET",
        CURLOPT_HTTPHEADER => array(
            "cache-control: no-cache"
        ),
    ));

    $response = curl_exec($curl);
    $err = curl_error($curl);

    curl_close($curl);

    echo "<h3 align=\"center\" >Your slot has been cancelled successfully!";
} else {
    echo "Error deleting record: ".$stmt->error;
}

$stmt->close();

Your issue is that you are currently searching the value of your button, not your search bar -

You want

At the bare minimum, you could use mysqli_real_escape_string()

but I would recommend to go a step further and learn how to use prepared statements/placeholders, ie.


$searchq = $_POST['Search'];


$searchq = $_POST['searchbar'];


$searchq = mysqli_real_escape_string($conn, $_POST['searchbar']);


$stmt = $conn->prepare("SELECT * FROM users WHERE usernam LIKE ?");
$stmt->bind_param('s', "%".$_POST['searchbar']."%");
$stmt->execute();

Here's an example of how I'd write this. I'm using PDO here simply because that's my go to API, but you can continue to use mysqli.


<?php
$stmt = $pdo->prepare("SELECT count(*) FROM following WHERE follower_id = ? AND followed_id = ?");
$stmt->execute([
    $_SESSION['user_id'], // logged-in user
    $_GET['id']           // who we are following
]);

// How to count when using PDO - https://phpdelusions.net/pdo_examples/count
$count = $stmt->fetchColumn();

if ($count > 0) {
    // show `unfollow` form
} else {
    // show `follow` form
}

As you are developing this system it would be sensible to adopt best practises earlier rather than later - in this instance I refer to sql injection and alas the above code is vulnerable. My guess with the above is the lack of quotes around the embedded variable - code_ticket = $order ~ if $order is a string then it needs quotes. That said it is very easy to inject this with nastiness so a prepared statement would be the way forward. I quickly rewrote your code to show how you might use both a try/catch block and a prepared statement to hopefully resolve the problem and make the code more secure going forward.


<?php

    if( $link && $_SERVER['REQUEST_METHOD']=='POST' && !empty( $_POST["order"] ) ){
        try{

            $order = $_POST['order'];

            /* basic query with placeholder for variable */
            $sql = 'select `shipping_status` from `orders` where `code_ticket` = ?';

            /* create the prepared statement object */
            $stmt = $link->prepare( $sql );

            /* if the query failed raise an exception to indicate failure */
            if( !$stmt ) throw new Exception( 'Failed to prepare sql' );

            /* so far so good. Bind placeholder to a variable */
            $stmt->bind_param( 's', $order );

            /* execute the query */
            $result = $stmt->execute();

            /* deal with recordset */
            if( !$result ) throw new Exception( 'No results: Order not placed' );
            else {

                /* bind column data to an output variable */
                $stmt->bind_result( $status );

                /* fetch the records */
                $stmt->fetch();

                /* do something with output variable */
                printf( 'Shipping Status: %s', $status );


                $stmt->free_result();
                $stmt->close();

            }
        }catch( Exception $e ){
            exit( $e->getMessage() );
        }
    }

?>

When you're using placeholders, you don't need to quote them. When you have ':time' in your SQL, it's passing a string with the text :time to the database. Your SQL should look like:

You also don't necessarily need to have fields in your INSERT, if there's no data being added. If a column is missing, the row will be added using the default value for that column, based on the table's design; or NULL if there isn't one. If it's an AUTO_INCREMENT field, then it shouldn't be in your INSERT statement, as it's going to cause issues. You can't use this on fields that are set to NOT NULL, and it's important to remember that NULL and '' are different values, so using this will depend on how you've written the rest of the code; but you can get away with code as short as:


$stmt = $db->prepare("INSERT INTO messages (message_id, timestamp, uid, admin, read, edited, message) VALUES ('',':time',':uid',':admin','','',':message')");


$stmt = $db->prepare("INSERT INTO messages (message_id, timestamp, uid, admin, read, edited, message) VALUES ('',:time,:uid,:admin,'','',:message)");


$stmt = $db->prepare("INSERT INTO messages (timestamp, uid, admin, message) VALUES (:time,:uid,:admin,:message)");

a) You need some kind of error handling, prepare() may fail, bind_param() may fail, execute() may fail and so on. Either check the return value of the function calls (every,single,one) or instruct mysqli to report errors (i.e. mysql's errno != 0) as exceptions.
b) if(execute()===true) isn't sufficient. The statement can execute just fine yet return no records (because nothing matched the where clause e.g.); that's not an error, so execute() would still return something truthy.
c) Storing the plain user password in the database is a no-go. Use a hash function, e.g. password_hash(). That would imply not to have the password in the WHERE clause but selecting that value and then compare it "within" your php script.


// assuming report mode=exception; so no further error handling here....
// the field `password` contains the result of password_hash()
$stmt = $mysqli->prepare("SELECT id,`password` FROM users WHERE username=?");
$username = $_POST["username"];
$stmt->bind_param("s", $username);
$stmt->execute();
$stmt->bind_result($result_id, $result_passwort);
$stmt->fetch(); // will return FALSE if there is no matching record, i.e. no such user
// but we don't care because $result_passwort will be NULL in that case and password_verify() will fail reliably
// you wouldn't want to make a distinction between "no such user" and "wrong password" in the feedback for the user anyway....
if (!password_verify($_POST["password"], $result_passwort))
{
    // login failed....
    // redirect to "you are not logged in" page
}
else {
    // credentials ok
    // mark user as logged in, e.g. in $_SESSION
    // redirect to content-page
    // also please read up on how to handle login attempts, e.g. when and how to use http://docs.php.net/session_regenerate_id
    // default: _every_ login _attempt_ counts
}

It depends on how you are going to determine lo_val and hi_val. I'd probably use I4GL (because I'm fluent in it) and then I'd expect to prepare the UPDATE statement (with question marks in place of 'lo_val' and 'hi_val'), and then I'd expect to execute it a number of times, each time forming a single statement transaction. So, if you decided to go with a ranges of lo_val..hi_val from 000000..099999, 100000..199999, ... then you'd iterate:


for i = 0 to 10000000 step 100000
    let j = i + 99999
    execute p_update using i, j
end for

Recommend

Go Opening a database handle Freeing resources

Go Opening a database handle Storing database credentials

Go Opening a database handle Confirming a connection

Go Opening a database handle Opening a database handle Opening with a Connector

Go Opening a database handle Opening a database handle Opening with a connection string

Go Opening a database handle Locating and importing a database driver

Go Call your code from another module

Go Compile and install the application

Go Return greetings for multiple people

Tutorial: Get started with Go Call code in an external package

Tutorial: Get started with Go Write some code

Go Tutorial: Getting started with fuzzing Completed code

Go Tutorial: Getting started with fuzzing Fix the double reverse error Fix the error Run the code

Go Tutorial: Getting started with fuzzing Fix the double reverse error Fix the error Write the code

Go Tutorial: Getting started with fuzzing Fix the double reverse error Diagnose the error Run the code

Go Tutorial: Getting started with fuzzing Fix the double reverse error Diagnose the error Write the code

Go Tutorial: Getting started with fuzzing Fix the invalid string error Fix the error Run the code

Go Tutorial: Getting started with fuzzing Fix the invalid string error Fix the error Write the code

Go Tutorial: Getting started with fuzzing Fix the invalid string error Diagnose the error Run the code

Go Tutorial: Getting started with fuzzing Fix the invalid string error Diagnose the error Write the code

Go Tutorial: Getting started with fuzzing Fix the invalid string error Diagnose the error

Go Tutorial: Getting started with fuzzing Add a fuzz test Run the code

Go Tutorial: Getting started with fuzzing Add a fuzz test Write the code

Go Tutorial: Getting started with fuzzing Add a unit test Run the code

Go Tutorial: Getting started with fuzzing Add a unit test Write the code

Go Tutorial: Getting started with fuzzing Add code to test Run the code

Go Tutorial: Getting started with fuzzing Add code to test Write the code

Go Tutorial: Getting started with fuzzing Create a folder for your code

Tutorial: Create a Go module Start a module that others can use

Go Add a test

Go Return and handle an error

Go Return a random greeting

Go Tutorial: Getting started with multi-module workspaces Download and modify the golang.org/x/example module Future step

Go Tutorial: Getting started with multi-module workspaces Download and modify the golang.org/x/example module Run the code in the workspace

Go Tutorial: Getting started with multi-module workspaces Download and modify the golang.org/x/example module

Go Tutorial: Getting started with multi-module workspaces Create the workspace Initialize the workspace

Go Tutorial: Getting started with multi-module workspaces Create a module for your code