Using select to display correct value in database but not working

I have a few forms on my page and everyone works fine appart from one, and there is no difference at all in them only where it is drawing the data from.
Each one of the forms is a different table, and drawing in the data so that the user can select a value to insert into the main table in the database.

Like I said all the others work fine, but the one below doesnt, it just will not display the correct value from the dropdown.

Here is the first part:

$gName="";

if(isset($_GET["ID"]))
{
	$iD=$_GET["ID"];
	$queryEdit="select * from Intranet where ID=$iD";
	//$rowsEdit = sqlsrv_query($conn, $queryEdit);
	$rowsEdit = sqlsrv_query($conn, $queryEdit) or die(sqlsrv_errors());
	//if(sqlsrv_has_rows($rowsEdit)){ echo 'rows fetched from DB';}
	while ($rows = sqlsrv_fetch_array($rowsEdit, SQLSRV_FETCH_ASSOC)) {

$gName=$rows["Group_Name"];
echo $gName;
}

All is fine with this, and when I echo out $gName the value on display is correct.

Then the next bit.

echo $gName;
<select name="groupName" size="1">
<option value="">Select Group Name</option>
<?
$queryGroup="select * from Groups";
$rowsEditF = sqlsrv_query($conn, $queryGroup);
while ($rowsF = sqlsrv_fetch_array($rowsEditF, SQLSRV_FETCH_ASSOC)) {
?>
<option <?php if($rowsF["Group_Names"] == $gName) echo "selected"; ?> value="<? echo $rowsF["Group_Names"] ?>"><? echo $rowsF["Group_Names"];?></option>
<? } ?>
</select>

Again I echo out $gName and all is fine, and also the drop down fills up with the correct vales from Group. BUT it will not ‘select’ the correct value to display when it should.

$gName is fine as shown by echoing it out, and Group_Names is fine to as shown by the fact that the drop down does contains the correct data from that table.
I have tried everything to resolve it, and i cant work it out, seeing that other drop down above and below this one work fine, and the only change I make in all of them is the variables when selecting * from Groups.

$gName=$rows["[COLOR="#FF0000"]Group_Name[/COLOR]"];
echo $gName;
}

<option <?php if($rowsF["[COLOR="#FF0000"]Group_Names[/COLOR]"] == $gName) echo "selected"; ?> value="<? echo $rowsF["[COLOR="#FF0000"]Group_Names[/COLOR]"] ?>"><? echo $rowsF["[COLOR="#FF0000"]Group_Names[/COLOR]"];?></option>
<? } ?>
</select>

sings
One of these things just doesnt belong here… one of these things just isnt the same… (really. normalize your names and you wont have 99% of issues with table linkages)

What is the type on Group_Name in your Intranet table? You sure it’s not a numerical association? (and if not, why not? waits for inevitable scolding from mysql boys about not creating an artificial key)

Hi StarLion,

Its drawing data from 2 different tables.

$gName=$rows[“Group_Name”];

Basically what is happening is that in the main area where all the contracts can be seen there a edit button next to each contract, when you click the edit button it takes you to the edit form where all the data from the contract you selct fills in the form for the user to see and change if needed.

$gName=$rows[“Group_Name”];

That is drawing the value from that contract and $gName is its value.

Then in the drop down in the form, its pulling its data from another table called Groups, and the field in use in this drop down is Group_Names.

So whats happening is that your matching the value from the contract with the values in the other table, and using select you get to see that value, but its not working.

(Bare with me through the Helpdesk “check the silly stuff first” questions)

when you view source on the page, there is no option with “selected”, correct? (Checking for browser compatability issue with “selected” sans-value)

Try adding an else to your if for debugging purposes.

That is terribly insecure code.

I could delete your entire database now that I know your code.

Look at this:

http://mywebsite.com/page.php?id=1;%20delete%20%20from%20intranet

This would translate to:

select * from Intranet where ID=1; delete from intranet

So I just deleted everything in your database table.

How do you know what the database name is and password?

I cant connect to the database without the connection on each page which is in a separate page

While correct, entirely unhelpful as to the poster’s problem.

multi: He doesnt need the database name or password. You create the query for him. It’s basic injection.

(hint: intval() your input)

Thanks, I now have that song stuck in my head

You are correct, multichild, you need to sanitize your $_GET[‘id’] before using it. For example, run it through $iD = intval($_GET[‘ID’]);

As for your select problem, can you give us the HTML output. The from the echo statement of $gName and the <select> field that is outputted so we can compare the values?

I think my answer was far more helpful than anyone elses.

The total lack of security is a BIGGER problem than the one he was asking about. He should solve that first, everywhere on his site, and come back to this other issue later.

He should be using either PDO or prepared statements for db access. This would solve his sql injection issues.

I’m worried now about that post about being able to access the database, how can you access it and delete without knowing the password ect.

this is the output:

<td bgcolor=“#888888”>
Teddy <select name=“groupName” size=“1”>
<option value=“”>Select Group Name</option>
<option value="House ">House </option>
<option value="Mother ">Mother </option>
<option value="Teddy ">Teddy </option>
</select>
</td>

Looking at it Im guessing its the spaces is it, but just checked the other drop downs and they are the same too and work fine

Yes, because making a broken site not-quite safe is entirely better than getting it working.

Right.

Please stop posting.

Oh god, im bloody worried now…

As you say this is the least of my worries, and need to look at it

Spaces will throw it off if $gName doesnt have a space as well, yes. The lack of a selected anywhere in that source indicates that to be the case.

More to the point, why is there a space?

I think $gName does have a space after it by the looks, and I’m not sure in honesty why a space is there. Will go check.

Actually, taking a site that is completely insecure and securing it before fixing any functional issues is just the right thing to do.

I’m sorry if I’ve offended your amateur sensibilities.

Security should come first. Use a bit of brain power, yeah?

Yes exactly. It’s good that you’re worried about it, but you can fix it.

The easiest way is to learn prepared statements and/or PDO database access.

Here’s a resource for prepared statements:

http://devzone.zend.com/239/ext-mysqli-part-i_overview-and-prepared-statements/
one more:
http://www.ultramegatech.com/2009/07/using-mysql-prepared-statements-in-php/

Pdo:

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

This should be your priority. Solve the functional issues after this. You won’t regret fixing these issues first.

Because when building a bridge what you should first do is build the guardrails, forget about the whole deck thing. Who needs that! It’ll be perfectly safe.

Oh right, but noone can actually cross the bridge.

Security doesnt have to come before the actual code. If you can do both at the same time, great. If you dont have a site because you’re spending all your time trying to secure the first three lines? Well, good luck to you on actually delivering anything.

Dropping straight to personal insults, obviously a true professional.

You don’t have a clue what you’re talking about.

He has an issue here that means that anybody anywhere could delete his entire database, just by adding a few statements to a publicly available url. It’s a fundamental error that makes his entire website extremely insecure.

An insecurity of this magnitude should be priority number 1. It DOES come above all else.

He should fix this problem first, then go back to his functional issues.

And I’m only ‘insulting’ you because you told me to “please stop posting”, when I was the only one giving the actual advice he requires.

I get irritated by people who think they’re experts, yet will completely look over such a huge flaw as this one because “that’s not the question being asked”.

To the original poster: seriously, make this a priority. Learn how to use prepared statements and convert all of your database queries to prepared statements (or PDO).

Then come back to this issue and solve it. That way, even if I know your code, I still won’t be able to delete your database like that.

-Thread moved to PM-