obviously for this type of assignment he is not wanting to safeguard against sql injection...

Generally for the search queuries..you can use something like this (I'm not a php guy..so no guarantees on syntax)

$myval1 = $_POST['fname'];
$myval2 = $_POST['lname'];
$myval3 = $_POST['phoneNo'];
$myval4 = $_POST['email'];

$myWhereMaker = " where 1=1 ";
if ($myval1 != "")
$myWhereMaker = $myWhereMaker + " and fname like %"+$myval1+"%";
if ($myval2 != "")
$myWhereMaker = $myWhereMaker + " and lname like %"+$myval2+"%";
if ($myval3 != "")
$myWhereMaker = $myWhereMaker + " and phoneno like %"+$myval3+"%";
if ($myval4 != "")
$myWhereMaker = $myWhereMaker + " and email like %"+$myval4+"%";

$result = mysql_query("SELECT * FROM registree" + $myWhereMaker


Generally you don't pass user/pass in a querystring either ...instead use a submit form..the request should be the same regardless..and like he says..if you dont have a value when you check the request..then redirect the page back to the login..or error