-3

I'm having some issues with passing information from a form to a PHP script which then requests data from MySQL.

I get get data to return as long as I hard code the request; however, I'm trying to do it so when a user selects an option from the drop-down list to have it the runs the selected query. This is what I have in my form.

<form action="FETCH.PHP" method="POST" enctype="multipart/form-data">
<select name="mySelect">
<option value="South Yorkshire">South Yorkshire</option>
<option value="West Midlands">West Midlands</option>
</select>
<input type="submit" value="Go">
</form>

and this is what I have in my PHP script:

<?php
$con=mysqli_connect("*******","*******","*******","*******");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$selectedOption = $_POST["mySelect"];
$result = mysqli_query($con,"SELECT * FROM `SouthYorkshire` WHERE  `EstProv` ='$_POST'");

echo "<div id=Results>";

while($row = mysqli_fetch_array($result))
{
echo "<div class=ClubName>";
echo $row['EstName'];
echo "<div class=Location>";
echo $row['EstAddress2'];
echo "<br>";
}
echo date("Y") . " " ."Search is Powered by PHP.";
mysqli_close($con);
?>

I know there's something wrong here but I don't know what. This is the first time I have attempted anything with MySQL and PHP.

The current script does not give any errors but doesn't bring back any results. Any ideas?

halfer
  • 19,824
  • 17
  • 99
  • 186
user3487006
  • 11
  • 5
  • Apologies i wasn't shouting i just forgot to turn caps lock off and then couldn't be bothered to re-write it – user3487006 Apr 02 '14 at 14:17
  • Your query looks wrong WHERE `EstProv` ='$_POST'"); – David Hirst Apr 02 '14 at 14:18
  • 3
    -1 for the "couldn't be bothered" bit. Despite this, I've tidied up your question. – halfer Apr 02 '14 at 14:18
  • 2
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Apr 02 '14 at 14:19
  • Thank you Chetan Paliwal your answer has worked for me :) – user3487006 Apr 02 '14 at 14:20
  • @Quentin I have had a lot of people mention that im completely new to SQL so i have no idea how it works. On the plus side tho the database only holds establishment names and location so there's no valuable data – user3487006 Apr 02 '14 at 14:28
  • @MrBBates: don't forget to tick the answer that most helped you. Read them all! And, as per the above, please take care to write questions carefully; not only do some questions create edit work, but enough of them can stop you asking future questions too (via a block on your account). – halfer Apr 02 '14 at 14:28
  • @MrBBates - this thread may be of interest to you: http://stackoverflow.com/questions/5721786/how-does-sql-injection-work-and-how-do-i-protect-against-it – Latheesan Apr 02 '14 at 14:29
  • 1
    @MrBBates — Well, if you don't mind random visitors to your website being able to replace all your establishment names with swear words… – Quentin Apr 02 '14 at 14:30
  • Quentin how can they do that? There's no insert commands etc int he PHP so i didn't think it would give them access to that? – user3487006 Apr 02 '14 at 14:32

3 Answers3

2

Here in lies the problem:

$result = mysqli_query($con,
    "SELECT * FROM `SouthYorkshire` WHERE  `EstProv` ='$_POST'");

Change that line to:

$result = mysqli_query($con,
    "SELECT * FROM `SouthYorkshire` WHERE  `EstProv` ='$selectedOption'");

Update

You should bind params to secure your script like this:

$result = mysqli_query($con,
    sprintf("SELECT * FROM `SouthYorkshire` WHERE  `EstProv` = '%s'",
        preg_replace("/[^A-Za-z ]/", '', $selectedOption))); // pattern based on your html select options

OR...

Do it the Object Orientated way: http://php.net/manual/en/mysqli.prepare.php

Latheesan
  • 23,247
  • 32
  • 107
  • 201
1
WHERE  `EstProv` ='$selectedOption'
Chetan Paliwal
  • 1,620
  • 2
  • 15
  • 24
  • Thank you for your answer, This worked perfectly the only reason why i selected a different answer is because they provided more information however your answer was equally good – user3487006 Apr 02 '14 at 14:35
1

In your SQL, you put the whole $_POST in, and for displaying the results, there is no close div tag.

Sam Ye
  • 184
  • 6
  • Yep... and the div items don't have quote marks around the attribute values, so the result is invalid HTML. – halfer Apr 02 '14 at 14:26
  • @halfer i tried to add the " but it seems to break the PHP request with them in that was my next stage because i want to use CSS to style the results – user3487006 Apr 02 '14 at 14:29
  • @MrBBates: you can use single quotes instead (they are equally valid) or precede double-quotes with a backslash to "escape" them. For the latter, something like this: `echo "
    ";`
     – halfer Apr 02 '14 at 14:30
  • @halfer thank you very much for that one saves me looking it up :) – user3487006 Apr 02 '14 at 14:35