How to put user input into a SQL Query

Question

I have a database and I want the user to be able to have an input into what comes out. i.e

Select from Table where example = user input from box **(input by the user)**

Im guessing what I need is a variable to hold the value that then goes into the statement. I know how to get the value from the input box with script but can I use it like:

select * From handover WHERE hdate = variable. However I am guessing someone is going to talk to me about security if its even possible.

<html><body>

<input>User input</input> //That needs to go into statement


  <?php
 include 'config.php';

$result = mysqli_query($con,"SELECT * FROM handover WHERE hdate = **user input**;");

 echo "<table border='1'>
   <tr>
 <th>hdate</th>
 <th>Delay</th>
 <th>Health and Safety</th>
 <th>Non Vsa</th>
 <th>VSA</th>
 <th>Dar</th>
 <th>Other</th>
<th>Hour</th>
</tr>";

    while($row = mysqli_fetch_array($result)) {
   echo "<tr>";
   echo "<td>" . $row['hdate'] . "</td>";
   echo "<td>" . $row['hdelay'] . "</td>";
   echo "<td>" . $row['hs'] . "</td>";
   echo "<td>" . $row['nv'] . "</td>";
   echo "<td>" . $row['vsa'] . "</td>";
   echo "<td>" . $row['dar'] . "</td>";
   echo "<td>" . $row['other'] . "</td>";
   echo "<td>" . $row['hour'] . "</td>";
   echo "</tr>";
 }

echo "</table>";

mysqli_close($con);
?>

Any help is welcome and advice on the best language to use for this.

Kind Regards

Fintan

Answer 1

first of all, this question has nothing to do with javascript & ajax. so you can delete those tags.

you want to show/search data from mysql.

$result = mysqli_query($con,"SELECT * FROM handover WHERE hdate = '".$_POST['abc']."' ");

this is when you want to check if hdate column have exact data as user input ( $_POST['abc'] ).

and also don't forget to use mysqli_real_escape_string

you can learn common mysql pattern queries from here: http://dev.mysql.com/doc/refman/5.0/en/pattern-matching.html