1

I'm trying to pass a value from an HTML form and store it to a php variable so i can use this variable into a query to determine what row to get from database. I'm using _post['category'] to get the selected value and I'm passing the variable to the query to get the desired row but I'm not getting anything so far any help will be appreciated. Here is what I wrote so far: 

<form method="post" action="a34.php">                                                                    
 <select name="category">
  <option value="6008">15</option>
  <option value="6018">25</option>
  <option value="6034">30</option>
  <option value="6038">40</option>





$V=$_POST['category'];

$getrow= "SELECT ProdID, 
ProdCatID, ID_AC_seperate, ProdImage,
 ProdName, ProdPrice, ProdShippingPrice, 
ProdShortDesc, ProdMediumDesc, suitable, 
cart_thumb FROM accessories WHERE ProdID = '$V'";
user8237728
  • 47
  • 1
  • 7
  • 5
    [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – [Jay Blanchard](http://stackoverflow.com/users/1011527/jay-blanchard) – Jeff Puckett Jul 05 '17 at 20:07
  • 1
    are you submitting your form? and/or is all that code in one script? – Jeff Jul 05 '17 at 20:10
  • @Little Bobby I know I'm just trying to get to work for now. Any suggestions? – user8237728 Jul 05 '17 at 20:13
  • @Jeff it's actually in one script – user8237728 Jul 05 '17 at 20:14
  • and my first question? "are you submitting your form"? – Jeff Jul 05 '17 at 20:17
  • Do you have in your real script proper ` – Jeff Jul 05 '17 at 20:17
  • @jeff Yes they are wrapped with php tags – user8237728 Jul 05 '17 at 20:19
  • @jeff so when I set a ProdID in the query it actually works perfect but when I'm trying to pass the ProdID from a from it does nothing – user8237728 Jul 05 '17 at 20:21
  • 1
    @user8237728 When do you want the data returned? Immediately upon a user selecting a value or after the form is submitted? – Chris Happy Jul 05 '17 at 20:21
  • I'm sorry I meant 'form @jeff – user8237728 Jul 05 '17 at 20:21
  • 1
    I want it to be submitted when the user selects an option from the drop down menu @ChrisHappy – user8237728 Jul 05 '17 at 20:24
  • 2
    Do you want it onchange of the select element? without a post you will likely need to issue some ajax call. are you already using jQuery? – happymacarts Jul 05 '17 at 20:27
  • Are you willing to use jQuery to solve your problem? – Chris Happy Jul 05 '17 at 20:41
  • @ChrisHappy Yes I'm open to any suggestion that will make it work – user8237728 Jul 06 '17 at 00:14

3 Answers3

0

I recommend you to use strip_tags function. Never put raw data into sql.

So 

If(isset($_POST['category']) {
    $data = strip_tags ($_POST['category']);

    $getrow= "SELECT ProdID, ProdCatID, ID_AC_seperate, ProdImage,
                     ProdName, ProdPrice, ProdShippingPrice, 
                     ProdShortDesc, ProdMediumDesc, suitable, cart_thumb
              FROM accessories 
              WHERE ProdID = '. $data .'";
}
Abhishek
  • 2,925
  • 4
  • 34
  • 59
Bluesky
  • 106
  • 4
0

Okay, try the following.

The JS file detects when the user clicks an option and sends out an ajax request to the updateRow.php file with the $_POST variable of val.

updateRow.php takes the $_POST variable and casts it into an integer. The query is then updated with that variable. Process the query, then echo, print, etc. the data in the desired HTML format. Otherwise, the data echo 'failure'.

The output that is echoed, printed, etc is then sent back to the JS file under the variable data. If the data equals 'failure', then an error message is outputted. Otherwise, it inserts the HTML in the #row element. 

// ------ Your JS file ---------

$(function() {
  $row = $("#row");

  $("#update-row").on("change", function() {
    var val = $("select option:selected", this).val();
    $.post('updateRow.php', {
      val: val
    }, function(data) {
      if (data == 'failure') {
        $row.text("Sorry, the row does not exist");
      } else {
        $row.html(data);
      }
    });
  });
});

//------- updateRow.php ---------
//Make sure path/to/updateRow.php in the JS file is updated to here

$V = (int) $_POST['val'];

$getrow = "SELECT ProdID, 
ProdCatID, ID_AC_seperate, ProdImage,
ProdName, ProdPrice, ProdShippingPrice,
ProdShortDesc, ProdMediumDesc, suitable,
cart_thumb FROM accessories WHERE ProdID =" . $V;

if ( QUERY_IS_SUCCESSFUL() ) {
  echo 'The <b>HTML</b> you want to display the data in';
} else {
  echo 'failure';
}

<!----- HTML file ---->
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script src="path/to/js/file.js"></script>

<form method="post" action="a34.php" id="update-row">
  <select name="category">
    <option value="6008">15</option>
    <option value="6018">25</option>
    <option value="6034">30</option>
    <option value="6038">40</option>
    </select>
</form>

<div id="row"></div>
Chris Happy
  • 7,088
  • 2
  • 22
  • 49
0

For example see for this and then change your code as well accordingly

<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
  Name: <input type="text" name="name"><br><br>
  <input type="submit" name="submit" value="Submit">
</form>

<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
  // collect value of input field
  $name = $_POST['name'];
  if (empty($name)) {
    echo "Name is empty";
  } else {
    echo $name;
  }
}
?>
user16217248
  • 3,119
  • 19
  • 19
  • 37
Abhiram
  • 1
  • 2