0

How do I get html form POST data to appear after the = signs?

$tsql = "UPDATE dbo.[order] 
 SET status=''
 WHERE order_ID='' ";
Alex_TCD
  • 23
  • 6

2 Answers2

2

All POST data is stored in $_POST
put $_POST['dataname'] there.

SET status='".$_POST['dataname']."'

would be the proper replacement.

Forbs
  • 1,256
  • 1
  • 7
  • 9
1

POST data can be retrieved using the $_POST suberglobal like this:

.... " SET status = '{$_POST['form_field_name']}'";

HOWEVER, I would recommend using prepared statements for this whenever possible. Putting form data directly into an SQL statement is a bad practice and can cause security issues.

You should use a prepared statement like this:

// Store the form data in variables
$status = $_POST['status_field'];
$order_ID = $_POST['order_ID_field'];

// If you're not going to use prepared statements AT LEAST do this
// Not a necessary step if using prepared statements
$sanitized_status = mysqli_real_escape_string($dbConnection, $status);
$sanitized_order_ID = mysqli_real_escape_string($dbConnection, $order_ID);

// Prepare the SQL 
// When script is run database will compile this statement first
$stmt = $dbConnection->prepare('UPDATE table_name SET status = ? WHERE order_ID = ?');
// Parameters are bound to the COMPILED statement not the string
$stmt->bind_param('si', $sanitized_status, $sanitized_order_ID);

$stmt->execute();

The key is to bind your form data to the compiled statement and not the SQL string itself. Read more about prepared statements in this excellent resource below!

Reference: How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Timothy Fisher
  • 1,001
  • 10
  • 27