Pass form element data to a variable in SQL query??

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Cep
Forum Newbie
Posts: 16
Joined: Fri Mar 04, 2005 4:45 am

Pass form element data to a variable in SQL query??

Post by Cep »

I need to know how to pull data from an HTML form element on an htm page into an SQL query on a php page. The form method is POST.

So far I have this as my SQL but I keep getting parse errors when the form is submitted

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES ($_REQUEST['nameelement'], $_REQUEST['addressele'])";
What is wrong with the above line?
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'])."";
I hope you are aware of the security risk of using form values directly in a query!
Cep
Forum Newbie
Posts: 16
Joined: Fri Mar 04, 2005 4:45 am

Post by Cep »

Are you referring to sql injection? Do you think I should create an array first?
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

before using the form values, do some checking to see if the values are what you expect
Cep
Forum Newbie
Posts: 16
Joined: Fri Mar 04, 2005 4:45 am

Post by Cep »

Ok :D

One other thing,

I notice that you close your statement like this,

Code: Select all

, ".$_REQUEST['addressele'])."";
Is the bracket meant to be after the full stop and between the " marks?

Also say I wanted to add additional defaults values like a timestamp.

could I add them to the end of the statement like this,

Code: Select all

, ".$_REQUEST['addressele'].","Now()","No")";
Or would that cause more problems?
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

Oooops, it should have been this

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'].")";

More fields would be like this

Code: Select all

$sql = "INSERT INTO `table` ('name','address', 'time', 'answer') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'].", NOW(), 'No')";
Cep
Forum Newbie
Posts: 16
Joined: Fri Mar 04, 2005 4:45 am

Post by Cep »

Ah so functions like Now() do not need quotes and strings do. *scribbles down*

I guess then the only other thing is if I passed the form element value to a variable before it reaches the SQL.

Like

Code: Select all

$var1 = ".$_REQUEST['nameelement']."
$var2 = ".$_REQUEST['addressele']."
then the sql could be,

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES ("$var1", "$var2")";
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

this would be the way you did it. use single quotes

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES ('$var1', '$var2')";
Cep
Forum Newbie
Posts: 16
Joined: Fri Mar 04, 2005 4:45 am

Post by Cep »

I thought things were sorted out but I keep getting a T_string parse error now on line 4.

Ill post the script up as it stands, even though its not finished yet the basics should still work regardless.

Code: Select all

<?php
require "./database_conn.php";

$var1 = (".$_REQUEST['requested_by'].");  //LINE 4
$var2 = (".$_REQUEST['deadline'].");
$var3 = (".$_REQUEST['priority'].");
$var4 = (".$_REQUEST['department'].");
$var5 = (".$_REQUEST['request'].");
$var6 = (".$_REQUEST['nature'].");
$var7 = (".$_REQUEST['specs'].");

$sql = "INSERT INTO `ICT` ('request_by', 'deadline', 'priority', 'department', 'request_type', 'nature', 'specification', 'request_date', 'completed') VALUES ('$var1', '$var2', '$var3', '$var4', '$var5', '$var6', '$var7', NOW(), 'No')";

$insertsql = mysql_query($sql,db());

?>
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

just make your lines like this

Code: Select all

$var1 = $_REQUEST['requested_by'];  //LINE 4
Cep
Forum Newbie
Posts: 16
Joined: Fri Mar 04, 2005 4:45 am

Post by Cep »

Well at least that has stopped the parse errors but the script doesnt actually appear to do anything, I just get a white screen in my browser and nothing gets written to the database. I know the connection settings are correct because I can use another script I wrote to view them perfectly fine.

Can't understand it. :(
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

Post by phpScott »

check to make sure your query is correct try.

Code: Select all

$result = mysql_query($sql) or die('Query failed: ' . mysql_error(). ' using<br />'.$sql);
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

you should always put some kind of debugging into your queries

Change this line

Code: Select all

$insertsql = mysql_query($sql,db());
to

Code: Select all

$insertsql = mysql_query($sql,db()) or die(mysql_error());
This will display errors in your query
Cep
Forum Newbie
Posts: 16
Joined: Fri Mar 04, 2005 4:45 am

Post by Cep »

Oh wow great stuff :)

Got rid of a couple of syntax errors and now its all up n running!

Many thanks for all your help! :D
Post Reply