white spaces in $_POST

Question

I have a HTML dropdown list populated by PHP as following:

<form name="selectOccupation" method="post" action="specific_occupation.php">
                        <div align="centre">
                        <select name="occupation_dropdown" id="occupation_dropdown">
                        <?php
                        include "connection.php";

                        $sql = mysql_query("SELECT DISTINCT Occupation from patient_info");
                        while ($row = mysql_fetch_array($sql))  {
                echo "<option value=".$row['Occupation'].">".$row['Occupation']."</option>";
                        }
                        ?>
                        </select>
                        </div>
                        <br>
                        <br>
                                <input type="submit" name="submit" value="Proceed"/>
                    </form>

In the specific_occupation.php file, I have this code:

<?php

    include "connection.php";

    $selectedoccupation = $_POST['occupation_dropdown'];
    echo $selectedoccupation;   

    $myquery = "SELECT patient_info.Name, test_info.DateOfTest FROM                 `patient_info`,`test_info` WHERE patient_info.PatientID = test_info.PatientID AND               patient_info.Occupation = '$selectedoccupation' ";

    $query = mysql_query($myquery);

        if ( ! $query ) {
            echo mysql_error();
            die;
        }

        $data = array();

        for ($x = 0; $x < mysql_num_rows($query); $x++) {
            $data[] = mysql_fetch_assoc($query);
        }

     $tempdata = json_encode($data);
?>

This works fine if an occupation without any white space between them like "carpenter" is selected from the dropdown menu but doesn't work for "sales person". How can the $_POST be used for occupations with white spaces??

Thanks in advance !!

@MarcB no, $_POST in specific_occupation.php is causing trouble if "sales person" gets selected from the dropdown list. — user2398101, May 26 '14 at 16:37
Your code is vulnerable to SQL injections. You should read on [how to prevent them in PHP](http://stackoverflow.com/q/60174/53114). — Gumbo, May 26 '14 at 16:38

score 4 · Accepted Answer · answered May 26 '14 at 16:36

4

You're building your HTML wrong. You've got it as:

 <option value=Sales Person>
               ^^^^^---what will get sent as the value
                     ^^^^^^---some wonky unknown/non-standard attribute

This is incorrect. HTML now requires that ALL attributes be quoted:

 <option value="Sales Person">

and even when the quotes weren't required, you still had to have the quotes to handle "spaced" data like this.

answered May 26 '14 at 16:36

Marc B

356,200
43
426
500

Does that mean that I shouldn't be using php to populate my dropdown list ?? – user2398101 May 26 '14 at 16:48
1

What he means is you still need to add double quotes in your HTML attribute like this... `" – hyubs May 26 '14 at 16:53

score -2 · Answer 2 · edited Oct 02 '15 at 17:01

-2

PHP post replace some characters such as - with whitespaces. You can try urlencode($var) in your PHP script.

edited Oct 02 '15 at 17:01

mbinette

5,094
3
24
32

answered May 26 '14 at 16:38

Dumb_programmer

1
3

white spaces in $_POST

2 Answers2