HTML select TAG into mysql

Question

So, I want to upload a file and choose (for example) "Value 1" from select tag. And then when I click Publish button I want from script to check if I selected Value 1, and if I did, then I want to put the file ("file_name") it in column "columndb", if I selected Value 2 I want to put it in some other column and so on.

<div><input type="file" name="file_name">    
<div><input type="file" name="inputname">
       <select id="select_id" name="select_name">
       <option value="null">None</option>
       <option value="value1" name="value1name">Value 1</option>
       <option value="value2" name="value2name">Value 2</option>
       </select></div>
<div>
<div><input type="submit" name="submit" value="Publish"></div>
</div>    
<?php

if(isset($_POST['submit'])){

$filename = $_FILES['file_name']['name'];
$filename_tmp = $_FILES['file_name']['tmp_name'];
$select_tag = $_POST['select_name'];

move_uploaded_file($filename_tmp, "somewhere/$filename");

if($select_tag == 'value1name'){

        $insert_db = "insert into mydb ('columndb') values ('$filename')";
        $run_db = mysqli_query($db, $insert_db, MYSQLI_STORE_RESULT);
    }
}
?>

`if($select_tag == 'value1name')` will never evaluate to that. You're checking against a name attribute instead of a value. Plus, ` — Funk Forty Niner, Feb 11 '16 at 17:16
you're also using the wrong identifier qualifiers in your query. — Funk Forty Niner, Feb 11 '16 at 17:17
I tried with 'if($select_tag == 'value1')' and it doesn't work. — Stefan Zupanek, Feb 11 '16 at 17:17
Add error reporting to the top of your file(s) right after your opening PHP tag for example ` — Funk Forty Niner, Feb 11 '16 at 17:21

score 0 · Accepted Answer · answered Feb 11 '16 at 17:23

0

Options shouldn't have names, only values. So you would verify as follows:

if($select_tag == "value1")
{
   //...
   //You're also using apostrophes in the query, on the column name, which is wrong.
   //Change to this:
   $insert_db = "insert into mydb (`columndb`) values ('$filename')";
}

answered Feb 11 '16 at 17:23

Phiter

14,570
14
50
84

Problem was exactly like you said, values in options and apostrophes in the query. Thank you. – Stefan Zupanek Feb 11 '16 at 17:35

score 0 · Answer 2 · answered Feb 11 '16 at 17:26

If $select_tag is correctly holding the 'value' of your selection as the column name, then the following should be suitable:

$insert_db = "insert into mydb (`$select_tag`) values ('$filename')";

As a note though, using the value from the form as the column name is very bad security-wise. Someone malicious could manually submit a value which causes data to be put into another field, or perform an sql injection (because you do not escape the $select_tag or $filename before performing your SQL query.

You'd be better off having a block of 'if' statements, or a 'switch', which chooses a column depending on a predefined set of values.

Example:

$target_column = ""; // input column
switch($select_tag) {
    case "column1":
        $target_column = "columndb";
        break;

    case "column2":
        $target_column = "anothercolumn";
        break;

    default:
        $target_column = "column1";
        break;
}

$filename = mysql_escape_string($filename); // mysql_escape_string is deprecated in later php versions... Use an alternative like mysqli_real_escape_string()
$insert_db = "insert into mydb (`$target_column`) values ('$filename')";
$run_db = mysqli_query($db, $insert_db, MYSQLI_STORE_RESULT);

Thank you for security info. – Stefan Zupanek Feb 11 '16 at 17:36 — Stefan Zupanek, Feb 11 '16 at 17:36

score -1 · Answer 3 · answered Feb 11 '16 at 17:22

-1

if ($_POST['select_tag'] == 'Something') {

I think this is what you want

answered Feb 11 '16 at 17:22

Daniel O.

196
2
16

HTML select TAG into mysql

3 Answers3