0

I'm trying to pass values from an html form <select> list to a SQL table. I've tried several things but can't get it to work.

HTML

<select class="select-list">
    <option value="volvo" class="selectval">
        Volvo
    </option>

    <option value="saab" class="selectval">
        Saab
    </option>

    <option value="mercedes" class="selectval">
        Mercedes
    </option>

    <option value="audi" class="selectval">
        Audi
    </option>
</select>

PHP

$name = filter_var($_POST['name'],FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'],FILTER_VALIDATE_EMAIL);
$email = filter_var($email,FILTER_SANITIZE_EMAIL);
$phone = filter_var($_POST['phone'],FILTER_SANITIZE_STRING);

if (empty ($name)|| empty ($email) || empty ($phone) || !isset($select)) {

    return;

} else {

    mysql_connect('localhost' , 'root' , '');
    mysql_select_db('show_express');        

    $name = clean_inputs($name);
    $email = clean_inputs($email);
    $phone = clean_inputs ($phone);     

    $sql = "INSERT INTO clients(id,name,email,phone,bands) ";
    $sql .= "VALUES('','$name','$email','$phone','$select')";
    mysql_query($sql);

    if (mysql_affected_rows()) {
        echo true;          
    }       

}


function clean_inputs($input) {
   $clean = mysql_real_escape_string(stripcslashes($input));
   return $clean;       
}
showdev
  • 28,454
  • 37
  • 55
  • 73
user3387719
  • 55
  • 1
  • 10
  • 2
    I know this isn't the answer, but you really should just use PDO, your script is still vulnerable to injects despite your attempts to sanitize input (you're not sanitizing every variable which could be injected). Is there an error being displayed or a mysql_error that you're not checking for? – skrilled Jul 17 '14 at 00:17
  • 2
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – esqew Jul 17 '14 at 00:19

3 Answers3

3

Firstly, you don't have $select defined/instantiated anywhere in your code. So how can you test it or insert it if it isn't present?

Secondly, I presume that the issue you're facing is that you do not have a name attribute on your select element? (Please provide your form code to verify)

So you'd have to create a select that looks something like this:

<select name="car">
    <option value="audi">Audi</option>
    <option value="saab">Saab</option>
    ....etc
</select>

Which in turn allows you to access the select like this:

$select = filter_var($_POST['car'], FILTER_SANITIZE_STRING);

Notice the name attribute in the <select> tag? Yeah, you'll need that to access the value.

And as stated in the comments, PLEASE avoid using mysql_* functions as the library is depreciated.

Look at this comment for more information as to why you should avoid them.

And just for extra cookie points, here's an example of how you'd do an insert using PDO. (Taken from this answer)

$db = new PDO("...");
$statement = $db->prepare("insert into clients(id,name,email,phone,bands) VALUES(NULL,:name, :email, :phone, :select)");
$statement->execute(array(':name' => $name, ':email' => $email, ':phone' => $phone, ':select' => $select));
$row = $statement->fetch(); // Use fetchAll() if you want all results, or just iterate over the statement, since it implements Iterator
Community
  • 1
  • 1
Darren
  • 13,050
  • 4
  • 41
  • 79
  • Thanks for the Security tips, at the moment i'm trying to understand the basics of PHP ... so security it's really an issue as for now... Regarding my problem - how can i create a varible that defines the selected values? can i do this => $select = ($_POST['name']); – user3387719 Jul 17 '14 at 00:29
  • @user3387719 If you follow the example i posted, you'd create a ``) and access that `name` attribute in post. Like this: `VALUES('','$name','$email','$phone','$select');` – Darren Jul 17 '14 at 00:30
  • @user3387719 Does this answer your question? – Darren Jul 17 '14 at 04:06
0

You are using the variable $select but it's not being initiated anywhere. You need to use something like this.

 $select = filter_var($_POST['select'],FILTER_SANITIZE_STRING);

Next time post your client side script.

Denzyl Dick
  • 293
  • 3
  • 11
  • Thanks for the tips, now, regarding your great answers : Matt W - as much as i want to code properly i have to concentrate on what i understand so far - So a big thanks for the explanation - i will use it soon. Denzyl Dick - here is my client side code - i don't understand yet how to connect between to PHP, HTML, JS... how should i get the values? by loops / arrays? how can i link the Submit button to the whole thing - Sorry for the trouble... as i said - i'm a new and it's really hard so far - http://jsbin.com/gogeh/1/edit?html,js,output – user3387719 Jul 17 '14 at 00:50
  • You could use $_POST[select-list] instead of $_POST[select]. I saw your javascript but you need to refactor it you have 45 errors maybe that is the reason it doesn't work when you click the sumbit button. – Denzyl Dick Jul 17 '14 at 00:57
  • Denzyl - thanks for comment - the errors are caused only by one line - var select =$('select['value']).val());.....the rest is fine....i'll check your tip in a while. – user3387719 Jul 17 '14 at 01:20
0

This is something along the lines of what I use:

<?php
$db_host = 'localhost';
$db_name = 'show_express';
$db_user = 'root'; // you REALLY shouldn't use root for normal access
$db_pass = ''; // you REALLY need to use a password

$dbh = new PDO('mysql:host='.$db_host.';dbname='.$db_name, $db_user, $db_pass);
if (!$dbh)
{
    print "<p>Error connecting to database</p>";
    exit;
}

$q_insert = $dbh->prepare(
    "INSERT INTO clients (name, email, phone) VALUES (?,?,?);"
);
if (!$q_insert)
{
    $err = $q_insert->errorInfo();
    print "<p>Error preparing query: ".$err[2]." [".$err[0]."]</p>";
    exit;
}

$r = $q_insert->execute(array($_POST['name'], $_POST['email'], $_POST['phone']));
if (!$r)
{
    $err = $q_insert->errorInfo();
    print "<p>Error executing query: ".$err[2]." [".$err[0]."]</p>";
    exit;
}

print "<p>Success!</p>";
?>

I would strongly suggest you start learning to use PDO instead of the mysql_ functions. They make way more sense, the paradigm aligns with other languages, and the knowledge you gain will be portable.

I know this is just a newbie project, but don't use the 'root' user, especially without a password. Create a new user with permissions only for the 'show_express' database.

When asking questions, it is helpful if you tell us how it doesn't work. Are you getting an error message? Is the data ending up in the table but not correctly? Also, along those lines, how do you know it didn't work. I.e., what are you using to verify this code?

Matt W
  • 476
  • 3
  • 11