Page 1 of 1

Pass form element data to a variable in SQL query??

Posted: Mon May 16, 2005 8:16 am
by Cep
I need to know how to pull data from an HTML form element on an htm page into an SQL query on a php page. The form method is POST.

So far I have this as my SQL but I keep getting parse errors when the form is submitted

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES ($_REQUEST['nameelement'], $_REQUEST['addressele'])";
What is wrong with the above line?

Posted: Mon May 16, 2005 8:17 am
by JayBird

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'])."";
I hope you are aware of the security risk of using form values directly in a query!

Posted: Mon May 16, 2005 8:48 am
by Cep
Are you referring to sql injection? Do you think I should create an array first?

Posted: Mon May 16, 2005 9:04 am
by JayBird
before using the form values, do some checking to see if the values are what you expect

Posted: Mon May 16, 2005 9:16 am
by Cep
Ok :D

One other thing,

I notice that you close your statement like this,

Code: Select all

, ".$_REQUEST['addressele'])."";
Is the bracket meant to be after the full stop and between the " marks?

Also say I wanted to add additional defaults values like a timestamp.

could I add them to the end of the statement like this,

Code: Select all

, ".$_REQUEST['addressele'].","Now()","No")";
Or would that cause more problems?

Posted: Mon May 16, 2005 9:20 am
by JayBird
Oooops, it should have been this

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'].")";

More fields would be like this

Code: Select all

$sql = "INSERT INTO `table` ('name','address', 'time', 'answer') VALUES (".$_REQUEST['nameelement'].", ".$_REQUEST['addressele'].", NOW(), 'No')";

Posted: Mon May 16, 2005 9:25 am
by Cep
Ah so functions like Now() do not need quotes and strings do. *scribbles down*

I guess then the only other thing is if I passed the form element value to a variable before it reaches the SQL.

Like

Code: Select all

$var1 = ".$_REQUEST['nameelement']."
$var2 = ".$_REQUEST['addressele']."
then the sql could be,

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES ("$var1", "$var2")";

Posted: Mon May 16, 2005 9:27 am
by JayBird
this would be the way you did it. use single quotes

Code: Select all

$sql = "INSERT INTO `table` ('name','address') VALUES ('$var1', '$var2')";

Posted: Mon May 16, 2005 9:43 am
by Cep
I thought things were sorted out but I keep getting a T_string parse error now on line 4.

Ill post the script up as it stands, even though its not finished yet the basics should still work regardless.

Code: Select all

<?php
require "./database_conn.php";

$var1 = (".$_REQUEST['requested_by'].");  //LINE 4
$var2 = (".$_REQUEST['deadline'].");
$var3 = (".$_REQUEST['priority'].");
$var4 = (".$_REQUEST['department'].");
$var5 = (".$_REQUEST['request'].");
$var6 = (".$_REQUEST['nature'].");
$var7 = (".$_REQUEST['specs'].");

$sql = "INSERT INTO `ICT` ('request_by', 'deadline', 'priority', 'department', 'request_type', 'nature', 'specification', 'request_date', 'completed') VALUES ('$var1', '$var2', '$var3', '$var4', '$var5', '$var6', '$var7', NOW(), 'No')";

$insertsql = mysql_query($sql,db());

?>

Posted: Mon May 16, 2005 9:45 am
by JayBird
just make your lines like this

Code: Select all

$var1 = $_REQUEST['requested_by'];  //LINE 4

Posted: Mon May 16, 2005 9:53 am
by Cep
Well at least that has stopped the parse errors but the script doesnt actually appear to do anything, I just get a white screen in my browser and nothing gets written to the database. I know the connection settings are correct because I can use another script I wrote to view them perfectly fine.

Can't understand it. :(

Posted: Mon May 16, 2005 10:01 am
by phpScott
check to make sure your query is correct try.

Code: Select all

$result = mysql_query($sql) or die('Query failed: ' . mysql_error(). ' using<br />'.$sql);

Posted: Mon May 16, 2005 10:02 am
by JayBird
you should always put some kind of debugging into your queries

Change this line

Code: Select all

$insertsql = mysql_query($sql,db());
to

Code: Select all

$insertsql = mysql_query($sql,db()) or die(mysql_error());
This will display errors in your query

Posted: Mon May 16, 2005 10:16 am
by Cep
Oh wow great stuff :)

Got rid of a couple of syntax errors and now its all up n running!

Many thanks for all your help! :D