using data from html forms in php

Question

<form action='main.php' method='POST'>
<select name="Category" class='listbox'>
<?php $cat = mysql_query("select cName from category");
while($drop = mysql_fetch_array($cat))
{
    echo '<option value="' . $drop['Category'] . '">' . $drop['cName'] . '</option>';
}
?>
<input type='text' name='search' class='namebox'>
<input type='submit' name='submit' value='Search' class='submitbox'></select>
</select>

i am trying to use this form to create a search engine from my database but just cant get the value from the drop down menu.

$submit = $_POST['submit'];

if($submit)
{
    $search = $_POST['search'];
    $catval = $_POST['Category'];
    echo $catval ;
    $searchval = mysql_query("select * from item where iname like '%$search%'and cId in (select cId from category where cName = '$catval')");
    while($info = mysql_fetch_array($searchval))
    {
        echo "Item Name: " . $info['iName'];
    }
}

so when i try to search using this method i get no results.

You should not query all fields (not use the * operator) and limit the result number. Don't process raw user input but unescape it or, even better, use prepared statements (with PDO) to make SQL injections impossible. SQL injections are a serious security problem. — , Jan 21 '15 at 13:23
**Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).** They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). **Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement)** instead, and **use [PDO](http://us1.php.net/pdo).** — Jay Blanchard, Jan 21 '15 at 13:28
Please note that I meant "escape", not "unescape" it. Unfortunately, my comment can no longer be edited. — , Jan 21 '15 at 13:29

Epodax · Accepted Answer · 2015-01-21T13:49:23.417

0

You have placed the selects closing tag wrong :) and I assume you remembered to close your form aswell?

<form action='main.php' method='POST'>
<select name="Category" class='listbox'>
<?php $cat = mysql_query("select cName, Category from category");
while($drop = mysql_fetch_array($cat))
{
    echo '<option value="' . $drop['Category'] . '">' . $drop['cName'] .'</option>';
}
?>
</select>
<input type='text' name='search' class='namebox'>
<input type='submit' name='submit' value='Search' class='submitbox'> 
</form>

edited Jan 21 '15 at 13:49

answered Jan 21 '15 at 13:27

Epodax

1,828
4
27
32

still when i echo $catval i get nothing – Omar Jan 21 '15 at 13:41
You have closed your form right? I mean you have the at the end of your inputs? – Epodax Jan 21 '15 at 13:45
See my updated answer, you forgot to fetch the Category from your first query, you only fetched cName – Epodax Jan 21 '15 at 13:50

score 0 · Answer 2 · answered Jan 21 '15 at 13:28

<form action='main.php' method='POST'>
<select name="Category" class='listbox'>
<?php $cat = mysql_query("select cName from category");
while($drop = mysql_fetch_array($cat))
{
    echo '<option value="' . $drop['Category'] . '">' . $drop['cName'] .         
'</option>';
}
?>
</select>
<input type='text' name='search' class='namebox'>
<input type='submit' name='submit' value='Search' class='submitbox'>
</form>

That should do the trick. Your </select> was in the wrong place.

In the meantime, you might want to look into PDO and bound values instead of using mysql() as it's depreciated (I.E. don't use it anymore) and insecure.

using data from html forms in php

2 Answers2