Page 1 of 1
insert into dont get id variable!
Posted: Wed Feb 18, 2009 5:17 am
by rwahdan
Dear All,
i am new to php and need help! i made a form to collect data then pass it to php page. the line in bold is not returning anything and i dont know why! i am trying to get id corresponding to category that was selected on the form but i get nothing and dont have errors!
<?
$host="xxx";
$db_name="yyy";
$username="yyy";
$password="xyz";
$tbl_name2="test_table";
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$thecategory=$_POST['thecategory'];
$inventoryname=$_POST['inventoryname'];
$thepicture=$_POST['thepicture'];
$results= mysql_query("SELECT inventorytypeid from inventorytypes where thecategory=$thecategory");
echo $results[inventorytypeid];
$sql2="INSERT INTO $tbl_name2 (inventoryname,inventorytypeid,thepicture)
VALUES('$inventoryname',,'$thepicture')";
$result=mysql_query($sql2);
mysql_close();
?>
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 5:26 am
by mattpointblank
That's because $results isn't assigned to anything usable yet. Do something like:
Code: Select all
$results= mysql_query("SELECT inventorytypeid from inventorytypes where thecategory=$thecategory");
$row = mysql_fetch_array($result);
echo $row['inventorytypeid'];
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 5:34 am
by rwahdan
mattpointblank wrote:That's because $results isn't assigned to anything usable yet. Do something like:
Code: Select all
$results= mysql_query("SELECT inventorytypeid from inventorytypes where thecategory=$thecategory");
$row = mysql_fetch_array($result);
echo $row['inventorytypeid'];
Thanks for the quick answer. i tried your suggestion but i get this error now:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/www/islam4everyone1429.net/thetest2.php on line 17
line 17:
$row = mysql_fetch_array($results);
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 5:45 am
by nmreddy
$results= mysql_query("SELECT inventorytypeid from inventorytypes where thecategory=$thecategory");
$row = mysql_fetch_array($result);
echo $row['inventorytypeid'];
i think u missed the 's' in result for $row
$row = mysql_fetch_array($results);
try above ..
if your query will give more than a single row then you have to use for loop
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 5:48 am
by mattpointblank
Oops, yeah, missed the s. I normally call it $result, force of habit.
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 5:52 am
by rwahdan
nmreddy wrote:$results= mysql_query("SELECT inventorytypeid from inventorytypes where thecategory=$thecategory");
$row = mysql_fetch_array($result);
echo $row['inventorytypeid'];
i think u missed the 's' in result for $row
$row = mysql_fetch_array($results);
try above ..
if your query will give more than a single row then you have to use for loop
actually i saw that so its not the problem. also for the id, there is only one id for each category!
i will post the whole thing here: see attachment.
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 5:56 am
by mattpointblank
Maybe your query has an error, try:
$results= mysql_query("SELECT inventorytypeid from inventorytypes where thecategory=$thecategory") or die(mysql_error());
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 6:05 am
by nmreddy
use the below
$query = "SELECT inventorytypeid from inventorytypes where thecategory = " .$thecategory;
$results= mysql_query($query);
try above
if the type of the column thecategory in the table defined as varchar then you have to use { ' } for $thecategory
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 6:08 am
by rwahdan
mattpointblank wrote:Maybe your query has an error, try:
$results= mysql_query("SELECT inventorytypeid from inventorytypes where thecategory=$thecategory") or die(mysql_error());
ok i found where the error was! we have to add '' to the select statement
where thecategory='$thecategory'")
now: how to add the variable to the insert into?
$sql2="INSERT INTO $tbl_name2 (inventoryname,
inventorytypeid,thepicture) VALUES ('$inventoryname',
????,'$thepicture')";
$result=mysql_query($sql2);
mysql_close();
?>
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 6:14 am
by nmreddy
$newid = $row['inventorytypeid'];
$sql2="INSERT INTO $tbl_name2 (inventoryname,inventorytypeid,thepicture) VALUES ('$inventoryname',????,'$thepicture')";
$result=mysql_query($sql2);
it is based on data type for columns
use {'} for varchar data type
do not use {'} for int data type
$sql2="INSERT INTO $tbl_name2 (inventoryname,inventorytypeid,thepicture) VALUES ('$inventoryname',$newid ,'$thepicture')";
$result=mysql_query($sql2);
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 6:15 am
by susrisha
Code: Select all
$inventorytypeid = $row['inventorytypeid'];
$sql2="INSERT INTO $tbl_name2 (inventoryname,inventorytypeid,thepicture) VALUES ('$inventoryname','$inventorytypeid','$thepicture')";
but trust me i am sure this wont work coz you didnt give the sql connection handler in the mysql_query
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 6:17 am
by rwahdan
susrisha wrote:Code: Select all
$inventorytypeid = $row['inventorytypeid'];
$sql2="INSERT INTO $tbl_name2 (inventoryname,inventorytypeid,thepicture) VALUES ('$inventoryname','$inventorytypeid','$thepicture')";
but trust me i am sure this wont work coz you didnt give the sql connection handler in the mysql_query
Thank you all, its all working now. all what was left is to assign a variable to the raw then call it
$results= mysql_query("SELECT inventorytypeid from inventorytypes where thecategory='$thecategory'") or die(mysql_error());
$row = mysql_fetch_array($results);
echo $row['inventorytypeid'];
$thenum = $row['inventorytypeid'];
$sql2="INSERT INTO $tbl_name2 (inventoryname,inventorytypeid,thepicture) VALUES ('$inventoryname',$thenum,'$thepicture')";
$result=mysql_query($sql2);
mysql_close();
Re: insert into dont get id variable!
Posted: Wed Feb 18, 2009 6:23 am
by NOmeR1
You have an very bad vulnerability in your code - sql-injection
What type of "thecategory" in your sql?
if it is integer I advise you to set type integer to $thecategory
Code: Select all
$thecategory = (int) $_POST['thecategory'];
if it is string then use some functions to shield (mysql_real_escape_string, addslashes...)
Code: Select all
$thecategory = mysql_real_escape_string($_POST['thecategory']);