Geek Answers Handbook

Insert html form value into mysql database

I want to insert the value of the selected "selection form" into my mysql database.

How can I get the correct value for this?

<form action='' method='post'>
 <select name="myselectbox">
  <option name="myoption1" value="myoption1">myoption1</option>
  <option name="myoption2" value="myoption2">myoption2</option>
  <option name="myoption3" value="myoption3">myoption3</option>
  <option name="myoption4" value="myoption4">myoption4</option>
 </select>
<input type='submit' value='submit'/>
</form>

something like that? (this one didn't work explicitly ..)

$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')";
+3
source share
5 answers

you need to put the select tag in the form tag.

<form action='' method='post'>
<select name="myselectbox">
   <option name="myoption1" value="myoption1">myoption1</option>
   <option name="myoption2" value="myoption2">myoption2</option>
   <option name="myoption3" value="myoption3">myoption3</option>
   <option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>

after submitting the form, you will get the post variable as $_POST['myselectbox'], which can be added to the mysql query, as you already did. but for a better way, just don’t add it as it should, but check that the form is submitted and the post variables are available or not before adding. eg:

if(!empty($_POST['myselectbox'])){
    /*.. do your query section... */
}
+3
source

SQL, $_POST html, = > $_POST['some_name']:

$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')"; /* ^^ missing quotes here*/

:

$sql = "INSERT INTO Entries (myoption1) VALUES (".$_POST['myselectbox'].")";
+1

, , , script.

( echo, , ?)

SQL , , mysql - .

: http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

SQL ( ?), mysql . , .

:

// Connect to mysql

$mysqli = new mysqli('where your server is', 'my_user', 'my_password', 'world');

// Build the initial statement - easier to read as you don't have your string concatenation here

$stmt = $mysqli->prepare( "INSERT INTO Entries (myoption1) VALUES (?)" );

// Tell mysql that the '?' should be replaced with the value in your post array

$stmt->bind_param( "s", $POST['myselectbox'] );

// Execute the statement

$stmt->execute()

, , .

SQL Injection

, , , SQL-.

, , , .

SQL Injection - , - SQL, "" SQL .

, :

$sql = "INSERT INTO Entries (myoption1) VALUES ('". $_POST['myselectbox'] ."')";

( ) - myoption1.

SQL:

INSERT INTO Entries (myoption1) VALUES ('myoption1');

- , '='' OR '1'='1

SQL:

INSERT INTO Entries (myoption1) VALUES (''='' OR '1'='1');

() .

, , '=')'; DROP TABLE Entries WHERE (''='

SQL:

INSERT INTO Entries (myoption1) VALUES (''=''); DROP TABLE Entries WHERE (''='');

Simply put, but using prepared statements, you tell mysql that what you are sending is a literal string that will be used as a parameter. It can never be seen as part of the statement itself, and therefore the foregoing is simply impossible.

Much safer.

I hope this becomes clearer. If you need more information, I suggest you study it yourself ...

+1
source 
$value = mysql_real_escape_string($_POST['myselectbox']);    
$sql = "INSERT INTO Entries (myoption1) VALUES ($value)";
0
source 
if(isset($_POST['myselectbox'])){
      do something
}
0
source

More articles:


All Articles