6

I want to insert the value of a selected 'select form' into my mysql database.

How can i get the right value of this?

<form action='' method='post'>
 <select name="myselectbox">
  <option name="myoption1" value="myoption1">myoption1</option>
  <option name="myoption2" value="myoption2">myoption2</option>
  <option name="myoption3" value="myoption3">myoption3</option>
  <option name="myoption4" value="myoption4">myoption4</option>
 </select>
<input type='submit' value='submit'/>
</form>

something like that? (this one didn't work obviously..)

$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')";
Marc Ster
  • 2,276
  • 6
  • 33
  • 63
  • 2
    You have to wrap your ` – moonwave99 Feb 25 '14 at 10:44
  • i am a beginner.. can you give me some keywords for what i have to search to get 'a wieder picture' thanks – Marc Ster Feb 25 '14 at 10:46
  • One of my fav readings is still the [symfony HTTP fundamentals](http://symfony.com/doc/current/book/http_fundamentals.html); look for HTTP protocol, separation of concerns, and routing. – moonwave99 Feb 25 '14 at 10:49
  • Also, looks up "SQL Injection" and "Prepared statements". Building INSERT (or any other SQL) statements up in this way is a bad idea, and you should learn to avoid it right from the start. – Rob Baillie Feb 25 '14 at 10:54
  • ok thank you. i guess my prof is one of the old fashioned lol – Marc Ster Feb 25 '14 at 10:56

4 Answers4

6

you have to wrap your select tag into a form tag .

<form action='' method='post'>
<select name="myselectbox">
   <option name="myoption1" value="myoption1">myoption1</option>
   <option name="myoption2" value="myoption2">myoption2</option>
   <option name="myoption3" value="myoption3">myoption3</option>
   <option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>

once you submit the form, you will get the post variable as $_POST['myselectbox'] that could be appended into a mysql query as you have already did. but for a better way dont just append it like that but check the form is submitted and post variables are available or not before appending. eg: 

if(!empty($_POST['myselectbox'])){
    /*.. do your query section... */
}
NoobEditor
  • 15,563
  • 19
  • 81
  • 112
Joe
  • 618
  • 1
  • 9
  • 18
  • whoops. i forgot to add the form code in my post.. of course my code is wrapped in a form like you posted it above. but i still can't get the value into my mysql database :/ – Marc Ster Feb 25 '14 at 10:59
  • if you have defined the method attribute and action as i have suggested then it should be working. and one more thing , try to append the $sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')"; properly. because the single quote before the post variable will make issue with the string key of 'post' array :) . can u post complete code here ? – Joe Feb 25 '14 at 11:06
1

you have error in your SQL command, $_POST needs html names to be wrapped in quotes like => $_POST['some_name'] :

$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')"; /* ^^ missing quotes here*/

try it this way :

$sql = "INSERT INTO Entries (myoption1) VALUES (".$_POST['myselectbox'].")";
NoobEditor
  • 15,563
  • 19
  • 81
  • 112
  • Teaching a newbie to concatenate strings together to build a SQL statement is not a great idea. Please consider changing the example to use prepared statements. – Rob Baillie Feb 25 '14 at 10:55
  • if new user fails to understand the concatenation concept, you think, he/she will grasp the idea of `prepared statements`....??? Also, one should understand the vulnerabilities first, before learning `how-to-prevent-it`... :) – NoobEditor Feb 25 '14 at 10:59
  • Yes I do think they'll grasp it. Explain what's wrong with the specific issue and then educate as to why the approach is flawed. I think we're in agreement - I just have higher hopes! – Rob Baillie Feb 25 '14 at 11:01
  • i'll leave it on OP to decide what is preffered... :) – NoobEditor Feb 25 '14 at 11:03
1

Assuming that your form is correct and it is posting the values that you want to your script.

(You have sprinkled your code with echo to ensure this is the case?)

The simplest reliable way of sending the data into a SQL statement and therefore into mysql is to use prepared statements.

Take a look here: http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

Basically you write the SQL statement without your variables in it (replaced with ?) and then tell mysql to execute the statements with your variables later. It avoids the need to escape strings and worry about how to build things up.

As an example, you might have:

// Connect to mysql

$mysqli = new mysqli('where your server is', 'my_user', 'my_password', 'world');

// Build the initial statement - easier to read as you don't have your string concatenation here

$stmt = $mysqli->prepare( "INSERT INTO Entries (myoption1) VALUES (?)" );

// Tell mysql that the '?' should be replaced with the value in your post array

$stmt->bind_param( "s", $POST['myselectbox'] );

// Execute the statement

$stmt->execute()

Obviously you should add error handling too, but the documentation covers the basics of this.

SQL Injection

The main reason why the use of prepared statements is a good idea is that it avoids SQL injection attacks.

There are other ways round, but in my mind this is the simplest solution.

SQL Injection attacks are situations where someone attempts to change the SQL statement that is being run by "injecting" other SQL into your statement.

Using your code as an example, you may execute this statement:

$sql = "INSERT INTO Entries (myoption1) VALUES ('". $_POST['myselectbox'] ."')";

Which would normally receive (let's suggest) something like myoption1.

This would result in the SQL being:

INSERT INTO Entries (myoption1) VALUES ('myoption1');

If someone decided to, they could send '='' OR '1'='1

This would result in the SQL being:

INSERT INTO Entries (myoption1) VALUES (''='' OR '1'='1');

Which is (obviously) very different.

Or, even worse send '=')'; DROP TABLE Entries WHERE (''='

This would result in the SQL being:

INSERT INTO Entries (myoption1) VALUES (''=''); DROP TABLE Entries WHERE (''='');

Use Prepared Statements

Simply put, but using prepared statements, you are telling mysql that what you are sending is a literal string to be used as a parameter. It can never be regarded as part of the statement itself and therefore the above is simply not possible.

Much much safer.

I hope that makes it clearer. If you want more info I suggest you research it independently...

Rob Baillie
  • 3,436
  • 2
  • 20
  • 34
  • Thank you for explaining this principle to me. So this could would be safer than the standard mysql/php stuff? But i still don't get the trick why it is safer if i execute the variables statements later. I mean it is still the same value which comes from the form or not? – Marc Ster Feb 25 '14 at 11:21
  • This isn't safer than the standard mysql/php - this IS the standard, which is why I get annoyed when others teach concatenation. I'll add a brief explanation in my answer... – Rob Baillie Feb 25 '14 at 11:25
-1
$value = mysql_real_escape_string($_POST['myselectbox']);    
$sql = "INSERT INTO Entries (myoption1) VALUES ($value)";
Moeed Farooqui
  • 3,604
  • 1
  • 18
  • 23
  • now i am getting this error: Warning: mysql_real_escape_string(): Access denied for user 'www-data'@'localhost' (using password: NO) in "mypath" on line 10 Warning: mysql_real_escape_string(): A link to the server could not be established in "mypath" on line 10 – Marc Ster Feb 25 '14 at 10:52
  • @Moeed : why is `mysql_real_escape_string` needed here....doesnt look like user given input to be esacped??? – NoobEditor Feb 25 '14 at 10:54
  • 1
    you don have to add a mysql_real_escape_string as i suppose because mysql is already deprecated, and the post data of 'myselectbox' value is predefined in the select box. so that we dont need to worry much on what data it will be bringing in. if required use mysqli_real_escape_string – Joe Feb 25 '14 at 10:55
  • i didn't use the real escape now.. but it is still not getting the value out of my form – Marc Ster Feb 25 '14 at 10:58
  • Check the type of button either it is `button` or `submit` – Moeed Farooqui Feb 25 '14 at 11:00
  • You need to either escape the string or user prepared statements whenever you take user input and put them into SQL. Regardless of what your HTML says is being input, anything can be sent to any form - and very easily. It's worth learning how to protect your SQL from injection right from day one. – Rob Baillie Feb 25 '14 at 11:04