0

this is a code for collecting data from sql table, echoing them and sending one of the data as form data to another page for further processing

if (isset ( $price_data )) {
    $price_query = "SELECT * FROM titem WHERE comment = '$price_data'";
    $price_result = mysql_query ( $price_query, $connection );
    if (! $price_result) {
        echo 'no' . mysql_error ();
    }
    while ( $price_row = mysql_fetch_array ( $price_result ) ) {
        $pr = $price_row['item'];
        echo  "<h2>" .  $price_row['item'] . "</h2><br>";
        echo "<input type = checkbox name = selitem value =" . $pr . "/>";
        echo $selitem . "<br>";
        echo $pr;
        echo '&nbsp' . 'Price = ';
        if (is_numeric ( $price_row ['price'] )) {
            echo  $price_row ['price'] . " naira" . "<br>";
        } else {
            echo $price_row ['price'] . "<br>";
                }
    }
} else {
    echo '';
}

said variable being $pr but each time i echo it in this code

<?php
echo $_POST['selitem'];
$sel =  $_POST['selitem'];
echo $sel;
$query = "SELECT * FROM titem WHERE item = '$sel'";
$result = mysql_query($query, $connection);
if (isset($result)){echo 'no', mysql_error();}
while ($row  = mysql_fetch_array($result))
{echo $row['comment'];}

?>

it gives me just the first word and not the complete thing when there are two or more words, hence, not allowing me to query mysql with the right values. Any help will be appreciated.

scrowler
  • 24,273
  • 9
  • 60
  • 92
brown.cn
  • 151
  • 1
  • 9
  • 2
    You are vulnerable to [SQL injection attacks](http://bobby-tables.com) – Marc B Mar 20 '14 at 00:22
  • 1
    @MarcB - don't you wish you got paid to say that!?!? Wait, DO YOU??? – Rottingham Mar 20 '14 at 00:24
  • i know. this is not for commercial use and secondly, i get errors when i try to use mysqli and PDO even tthough i'm on 5.6 of mysql and 5.4 of php – brown.cn Mar 20 '14 at 00:25
  • @Rottingham: if only... – Marc B Mar 20 '14 at 00:27
  • 1
    @brown.cn If you get errors via MySQLi and PDO the best course of action is to learn to use those properly. `mysql_*()` is deprecated in PHP 5.5 anyway. Despite it being non-commercial,if it is ever public in any way, or even potentially exposed to other users (who you may know, like an intranet) it is really important to be in the habit [of doing it properly](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Michael Berkowski Mar 20 '14 at 00:29
  • thanks for the advice. btw, you say mysql_*() is deprecatied in 5.5, what replaces that then? And isnt mysqli commands the same thing with mysql commands except for the extra "i"? – brown.cn Mar 20 '14 at 00:38

1 Answers1

0

change this 

  echo "<input type = checkbox name = selitem value =" . $pr . "/>";

To

  echo '<input type="checkbox" name ="selitem" value ="'.$pr.'" />';
Karim Lahlou
  • 168
  • 5
  • Why did you swap the PHP quotes from double to single quotes? Couldn't you just put single quotes around the HTML attributes? – Barmar Mar 20 '14 at 00:26
  • worked. thanks. Please can you explain the reason for the symbols at $pr, i haven't been able to wrap my head around it. – brown.cn Mar 20 '14 at 00:33
  • you need to add double quotes on any html attributes, that's part of html wc3 validator – Karim Lahlou Mar 20 '14 at 00:43