php – sqlmap SQL injection not injecting

Hi I’m relatively new to sqlmap and trying to find an exploit in my project web. Here is how i run it;

python3 sqlmap.py -u http://localhost/output3/members.php?valueToSearch=mira&search=Filter

I have tried to use the various variables along with it as follows;

--dbs
--columns
--tables
--level=5
--risk=3

However it seems that sqlmap is unable to find any injection/exploit. Here is the output of sqlmap;

(21:15:40) (INFO) testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=6c6e4118f5b...b74a20db38'). Do you want to use those (Y/n) y
(21:15:43) (INFO) testing if the target URL content is stable
(21:15:43) (INFO) target URL content is stable
(21:15:43) (INFO) testing if GET parameter 'valueToSearch' is dynamic
(21:15:43) (WARNING) GET parameter 'valueToSearch' does not appear to be dynamic
(21:15:43) (WARNING) heuristic (basic) test shows that GET parameter 'valueToSearch' might not be injectable
(21:15:43) (INFO) testing for SQL injection on GET parameter 'valueToSearch'
(21:15:43) (INFO) testing 'AND boolean-based blind - WHERE or HAVING clause'
(21:15:43) (INFO) testing 'Boolean-based blind - Parameter replace (original value)'
(21:15:43) (INFO) testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                       
(21:15:43) (INFO) testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
(21:15:43) (INFO) testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                                               
(21:15:43) (INFO) testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
(21:15:43) (INFO) testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
(21:15:43) (INFO) testing 'Generic inline queries'
(21:15:43) (INFO) testing 'PostgreSQL > 8.1 stacked queries (comment)'
(21:15:43) (INFO) testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
(21:15:43) (INFO) testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
(21:15:43) (INFO) testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
(21:15:43) (INFO) testing 'PostgreSQL > 8.1 AND time-based blind'
(21:15:43) (INFO) testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
(21:15:43) (INFO) testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? (Y/n) y
(21:15:44) (INFO) testing 'Generic UNION query (NULL) - 1 to 10 columns'
(21:15:44) (WARNING) GET parameter 'valueToSearch' does not seem to be injectable
(21:15:44) (INFO) testing if GET parameter 'search' is dynamic
(21:15:44) (WARNING) GET parameter 'search' does not appear to be dynamic
(21:15:44) (WARNING) heuristic (basic) test shows that GET parameter 'search' might not be injectable
(21:15:44) (INFO) testing for SQL injection on GET parameter 'search'
(21:15:44) (INFO) testing 'AND boolean-based blind - WHERE or HAVING clause'
(21:15:45) (INFO) testing 'Boolean-based blind - Parameter replace (original value)'
(21:15:45) (INFO) testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'                                                                       
(21:15:45) (INFO) testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
(21:15:45) (INFO) testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'                                                                               
(21:15:45) (INFO) testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
(21:15:45) (INFO) testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
(21:15:45) (INFO) testing 'Generic inline queries'
(21:15:45) (INFO) testing 'PostgreSQL > 8.1 stacked queries (comment)'
(21:15:45) (INFO) testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
(21:15:45) (INFO) testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
(21:15:45) (INFO) testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
(21:15:45) (INFO) testing 'PostgreSQL > 8.1 AND time-based blind'
(21:15:45) (INFO) testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
(21:15:45) (INFO) testing 'Oracle AND time-based blind'
(21:15:45) (INFO) testing 'Generic UNION query (NULL) - 1 to 10 columns'
(21:15:45) (WARNING) GET parameter 'search' does not seem to be injectable
(21:15:45) (CRITICAL) all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

(*) ending @ 21:15:45 /2020-11-18/

I have attached my source code below for reference as well. In addition, I’m getting do not access superglobal $_GET array directly for my code. Any advise would be appreciated.

?php
if(isset($_GET('search')))
//if(filter_input_array(INPUT_GET, 'search', FILTER_SANITIZE_NUMBER_INT))
{
    $valueToSearch = $_GET('valueToSearch');
    //$valueToSearch = filter_input_array(INPUT_GET, 'search', FILTER_SANITIZE_NUMBER_INT);

    $query = "SELECT * FROM `user1` WHERE `user` LIKE '%".$valueToSearch."%' OR `name` LIKE '%".$valueToSearch."%' OR `contact_numberH` LIKE '%".$valueToSearch."%' OR `contact_numberM` LIKE '%".$valueToSearch."%'";

    $search_result = filterTable($query);
    
}
 else {
    $query = "SELECT * FROM `user1`";
    $search_result = filterTable($query);
}

// function to connect and execute the query
function filterTable($query)
{
    $connect = mysqli_connect("localhost", "root", "", "fyp2");
    $filter_Result = mysqli_query($connect, $query) or die(mysqli_error($connect));
    return $filter_Result;
}
 ?>
         <form action="members.php" method="get">
            <input type="text" name="valueToSearch" placeholder="Value To Search"><br><br>
            <input type="submit" name="search" value="Filter"><br><br>
            <table>
                <tr>
                    <th>User</th>
                    <th>Name</th>
                    <th>Home Number</th>
                    <th>Mobile</th>
                </tr>

      <!-- populate table from mysql database -->
                <?php while($row = mysqli_fetch_array($search_result)):?>
                <tr>
                    <td><?php echo $row('user');?></td>
                    <td><?php echo $row('name');?></td>
                    <td><?php echo $row('contact_numberH');?></td>
                    <td><?php echo $row('contact_numberM');?></td>
                </tr>
                <?php endwhile;?>
            </table> 
         </form>