-7

I'm currently coding a plugin in PHP and I have a list box containing numbers from 1 to 30 and a "submit" button. The plugin page is running some SQL request.

The point is the SQL request should update when you choose a number in the list box and click the submit button.

For instance:

SELECT G.xxx 
FROM yyy M, 
     zzz G 
WHERE M.name = G.nomfield 
AND G.nomfield = "xxx" 
AND G.idfield = 01 
AND G.xxx = $numberfrom1to30

the display should be different according to the number selected in the list box after the submit button is clicked. How should I do this?

I tried to:

<?php 
$selected = isset( $_GET['numberfrom1to30'] ) ? $_GET['numberfrom1to30'] : "" ;
$selectedValue = 'selected="selected"';
?>

<?php           
$numberfrom1to30= $_GET['numberfrom1to30'];
?>

But here's my error: Unknown column '$numberfrom1to30' in 'where clause'

NappingRabbit
  • 1,888
  • 1
  • 13
  • 18
Oxy180v2
  • 11
  • 1
  • 1
    `AND G.nomfield = "xxx" AND G.idfield = "01" AND G.xxx = "$numberfrom1to30"`.. Missed the quotes – Sougata Bose Mar 06 '18 at 11:40
  • 1
    obligatory: you are open to injection. ok, on topic, you are not escaping the string if the variable name is being returned to you in the error. – NappingRabbit Mar 06 '18 at 11:40
  • Filter variable - http://php.net/manual/en/function.filter-var.php or use a regex or cast the variable to an int. – marko Mar 06 '18 at 11:44

1 Answers1

1

You have two issues: SQL injection, and using the wrong quotes in the query: 

//convert to number to prevent SQL injection
$numberfrom1to30 = intval($_GET['numberfrom1to30']);

$query = "SELECT G.xxx FROM yyy M, zzz G WHERE M.name = G.nomfield AND G.nomfield = 'xxx' AND G.idfield = 01 AND G.xxx = $numberfrom1to30";
Adder
  • 5,708
  • 1
  • 28
  • 56