First, you don't have to do the the html blocks outside of the php like i am, that part is bad practice and am only displaying because it is code i had already written for myself. Ok, what i'm doing is giving the user a select box to choose his criteria from, and an input box to set the value. I don't clean the user's input beyond real escape string, but you definitely should. anyway; i check the post value against an array of valid values, so that any other post value offered will result in an error. All that's left to do is display your results.
Code: Select all
<?php if (! isset($_POST['submit'])){ //show form?>
<form name="user_search" action="search_user.php" method="post" style="margin:20px;">
<SELECT name="search_criteria">
<option value="last_name">Last Name</option>
<option value="email">Email</option>
<option value="id">User ID</option>
</select>
<input type="text" name="needle" />
<input type="submit" name="submit" value="Search" />
</form>
<?php } else { //process form
$valid_array=array('email','id','last_name');
if (! in_array($_POST['search_criteria'],$valid_array)){
die('<h1>Injection fail. Sucks to be you</h1><br /><br />');
} else {
$sql = "SELECT id,email,first_name,last_name FROM user WHERE LOWER(".mysql_real_escape_string($_POST['search_criteria']).")='".strtolower(mysql_real_escape_string($_POST['needle']))."'";
$results = User::find_many_by_sql($sql);
?>