mysql_connect("localhost","root","") or die ("could not connect");
mysql_select_db("search_test") or die ("could not find db!");

    $searchq = $_POST['search'];
    $searchq = preg_replace("#[^0-9a-z]#i","",$searchq); 

    $query = mysql_query("SELECT * FROM members WHERE firstname LIKE '%$searchq%' OR lastname LIKE '%$searchq%'") or die ("could not search!");
    $count = mysql_num_rows($query);
 if ($count == 0 ) {
  $output = 'There was no search results!';
        while($row = mysql_fetch_array ($query)) {
            $fname = $row ['firstname'];
            $lname = $row ['lastname'];
            $id = $row ['ID'];

            $output .='<div>'.$fname.' '.$lname.' </div>';
print $output = ""; ?> <html> <head> <meta http-equiv="content-Type" content="txt/html; charset=utf=8" /> <title>Search</title> </head> <body> <form action="index.php" method="post"> <input type="test" name="search" placeholder="Search for members..."> <input type="submit" value="GO" /> </form> </body> </html>


Hi, you should give us more details:

  • what looks like the input?
  • are you using utf8 or another encoding?
  • do you get the expected input?
  • do you get the expected output from the preg_replace()?

At the moment your preg_replace() pattern is removing spaces and special characters (like èéàòìùçñđĸ) from the search query.

Possibly you should not use preg_replace() to sanitize the input, filter_input() is a better option as the prepared statements for your queries.