SitePoint Sponsor

User Tag List

Results 1 to 19 of 19
  1. #1
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,209
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    $_POST['myVar'] in where clause

    Code:
    code
    $query="select id from myTable1 where title='$_POST
    ('$myVar')' " ;
    echo $query;
    
    
    result
    select id from myTable1 where title='Array('title1')'
    For putting $_POST variable in where clause, I don't know which is correct between parenthesis in the above and braket in the below?

    Code:
    code
    $query="select id from myTable1 where title='$_post['$myVar']' " ;
    echo $query;
    
    result
    Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING 
    or T_VARIABLE or T_NUM_STRING
    How can I make the result "select id from myTable1 where title='title1' "?

  2. #2
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    the square brackets are the correct ones.

    you also need to escape the single quotes as someone suggested to you in another thread earlier today or concatenate strings to build the final query (my preference)

    Code:
     
    $query="select id from myTable1 where title='".$_post['$myVar']."' " ;
    also '$myVar' would need to be the name of the html form element the data is coming from.

    are you sure you don't mean just 'myVar'?

  3. #3
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,209
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kalon View Post
    $query="select id from myTable1 where title='".$_post['$myVar']."' " ;
    I have the code above in DBaction3-3.php, it will be reached from http://dot.kr/x-test/todbAction3-3.php.
    The result of it is "select id from myTable1 where title='' instead of "select id from myTable1 where title='title1' "?

  4. #4
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Firstly, you don't seem to have any SQL Injection prevention. Using user-submitted values directly in your queries is a big problem.
    It should look something like this:
    PHP Code:
    $title mysql_real_escape_string($_POST['myVar']);
    $query "SELECT id, FROM myTable1 WHERE title='$title' "
    Which sort of solves your second problem because referring to $title inside a string is a lot simpler than referring to $_POST['title'];

    But, FYI if you ever do need to use an associative array value in a string you have these options:
    PHP Code:
    /* no single quotes required around 'name'
    because the string is wrapped in double quotes
    and the variable will be parsed */
    $myString "Hello $_POST[name], how are you?";

    /* single quotes required when using curly
    brackets to isolate the variable */
    $myString "Hello {$_POST['name']}, how are you?";

    /* concatenate */
    $myString 'Hello ' $_POST['name'] . ', how are you?'

  5. #5
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by dotJoon View Post
    The result of it is "select id from myTable1 where title='' instead of "select id from myTable1 where title='title1' "?
    that means either $_post['$myVar'] is not set or = an empty string.

    the next debugging step is to find where $_post['$myVar'] is actually assigned a value.

    what is $myVar and where is it created?

    is it the name of a html form element?

  6. #6
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hint: from your posted link code

    Code:
     
    <FORM ACTION="DBaction3-3.php" method="post">
    <input type="text" name="myVar" value="title1">
    <input type="submit">
    </form>

  7. #7
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cranial-bore View Post
    Firstly, you don't seem to have any SQL Injection prevention. Using user-submitted values directly in your queries is a big problem.
    Off Topic:


    you make a very valid point, but I get the impression the OP's situation is just a learning exercise and not a real life application.

    He probably needs to stick to the KISS principle atm until he can at least successfully pass form data to a script.


  8. #8
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,209
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cranial-bore View Post
    Injection prevention.
    Thank you for making me considering about that.
    I'll make the Injection prevention after I can do selecting, updating, inserting etc .

  9. #9
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    another hint from earlier

    also '$myVar' would need to be the name of the html form element the data is coming from.

    are you sure you don't mean just 'myVar'?

  10. #10
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,209
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kalon View Post
    hint: from your posted link code

    Code:
     
    <FORM ACTION="DBaction3-3.php" method="post">
    <input type="text" name="myVar" value="title1">
    <input type="submit">
    </form>
    The link above " http://dot.kr/x-test/todbAction3-3.php " has the code below.

    Code:
    <!doctype html>
    <html> 
      <head>
        <meta charset="UTF-8">
        <title>dbAction3-3</title>
      </head>
    <body>
    <FORM ACTION="DBaction3-3.php" method="post">
    <input type="text" name="myVar" value="title1">
    <input type="submit">
    </form>
    </body>
    </html>
    The result says "select id from myTable1 where title='' " instead of "select id from myTable1 where title='title1' "

    I don't know what's wrong with it.


    Code:
    dbAction3-3
    
    <!doctype html>
    <html> 
      <head>
        <meta charset="UTF-8">
        <title>dbAction3-3</title>
      </head>
    
    <body>
    <?php
    $con = mysql_connect("localhost","*******","*******");
    if (!$con)
      {
      die('Could not connect: ' . mysql_error());
      }
    
    mysql_select_db("test", $con);
    mysql_query("SET NAMES utf8");
    $query="select id from myTable1 where title='".$_post['$myVar']."' " ;
    echo $query;
    
    mysql_close($con);
    ?>
    
    </body>
    </html>
    And I have myTable1 in "test" like the following.
    Code:
    data in myTable1
    (id) title
     1   title1
     2   title2

  11. #11
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have virtually told you the answer to yuor probelm with

    also '$myVar' would need to be the name of the html form element the data is coming from.

    are you sure you don't mean just 'myVar'?
    let me put it another way.

    1) look at the name of your texbox in your html form and the name of the key in $_post['$myVar']

    2) the name of the textbox and the name of the $_POST key must be the same

  12. #12
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    dotJoon you don't need $_post['$myVar']
    $_POST should be capitalized and the array key is myVar NOT $myVar.
    The name of the form field is myVar, so that is the key it will have in $_POST.

    You can check the structure of your POST array by doing:
    PHP Code:
    var_dump($_POST); 

  13. #13
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,209
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kalon View Post
    1) look at the name of your texbox in your html form and the name of the key in $_post['$myVar']
    Code:
    <!doctype html>
    <html> 
      <head>
        <meta charset="UTF-8">
        <title>dbAction3-3</title>
      </head>
    <body>
    <FORM ACTION="DBaction3-3.php" method="post">
    <input type="text" name="myVar" value="title1">
    <input type="submit">
    </form>
    </body>
    </html>

  14. #14
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have to go shortly, so I'll just give you the answer.

    Code:
     $query="select id from myTable1 where title='".$_POST['myVar']."' " ;

  15. #15
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,209
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cranial-bore View Post
    $_POST should be capitalized and the array key is myVar NOT $myVar.
    I changed it like the following.
    You can reached the page below from http://dot.kr/x-test/toDBaction3-4.php .
    Code:
    <!doctype html>
    <html> 
      <head>
        <meta charset="UTF-8">
        <title>dbAction3-4</title>
      </head>
    <body>
    <?php
    $con = mysql_connect("localhost","*******","********");
    if (!$con)
      {
      die('Could not connect: ' . mysql_error());
      }
    mysql_select_db("test", $con);
    mysql_query("SET NAMES utf8");
    $query="select id from myTable1 where title='".$_POST['$myVar']."' " ;
    echo $query;
    mysql_close($con);
    ?>
    </body>
    </html>

  16. #16
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    jotJoon you still have a dollar sign in front of $myVar near where you have highlighted POST in red. You even quoted my post where I said not to use $myVar
    Like Kalon and I said you need to remove that dollar sign. You're referring to an array key, not a variable.

  17. #17
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,209
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Kalon View Post
    I have to go shortly
    See you later. have a good day/night.

  18. #18
    Get my greedy down dotJoon's Avatar
    Join Date
    Apr 2003
    Location
    daejeon, South Korea
    Posts
    2,209
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cranial-bore View Post
    Like Kalon and I said you need to remove that dollar sign. You're referring to an array key, not a variable.
    I did it in http://dot.kr/x-test/todbAction3-5.php , I guess I made the result what I want with your help.

  19. #19
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    it doesn't matter if you use 'myVar' or '$myVar' as long as they are the same in both the textbox name and the $_POST key.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •