php - Query is not returning expected results -

i have table keep customers. , keep sales.

when save keep selling customer id, , when show in list, show customer id

the problem is, when looking sale not leave me alone of logged client shows me records

$query = "select  *    ventas    idusuario = $_session[k_username]    union    select  *    reparaciones    marca '%" . $name .  "%'    or modelo '%" . $name ."%'" ; 

and this

$query="select  *    ventas    idusuario = $_session[k_username]       marca '%" . $name .  "%'    or modelo '%" . $name ."%'"; 

but none of them works

welcome so.

i highly recommend research on sql injection , prepared statements. address question without accounting security vulnerabilities way have setup.

your query strings not valid, try this:

$query = "select  *      ventas      idusuario = '". $_session['k_username'] ."'      union      select  *      reparaciones      marca '%". $name ."%'         or modelo '%". $name ."%'     "; 

and

$query = "select  *      ventas      idusuario = '". $_session['k_username'] ."'          or marca '%". $name ."%'          or modelo '%". $name ."%'     "; 

also, in first query using union, please make sure both parts of query return same number of columns.

update

examples of sql injection can found on internet (including on php.net manual page linked above). example gave in op, not clear if sanitizing data, namely: $_session['k_username'] , $name , including these directly in query string, these may injection points.

for example, if $name happens user input (say search form) , user supplies:

x'; delete usuario 1=1; -- 

now when used in second query, query string becomes (just using 123 user id example):

select  * ventas idusuario = 123 or marca '%x'; delete usuario 1=1; --%' or modelo '%". $name ."%' 

now when query runs user table becomes empty.

this, of course, 1 example. perhaps user table isn't called 'usuario'... fact still remains have vulnerability , leaves opening infiltrate system. perhaps skim data (usernames, passwords, contact information, etc), perhaps inject own data, perhaps destroy entire database, knows. want take risk?

so here example of how use prepared statement mitigate risk:

$sql = "select  *      ventas      idusuario = :userid          or marca ':name'         or modelo ':name'     "; $params = array(     'userid' => $_session['k_username'],     'name' => '%'. $name .'%' );  $db = new pdo(...); // replace ... connection info $query = $db->prepare($sql); $query->execute($params); $results = $query->fetchall(); 

this example, there other ways (some examples listed in links above).