Insert into table values with if condition with $_Post variable

Question

I am trying to use if statement on "insert into table values" statement under PHP environment and use $_post[] as a variable to make a complex SQL query for the field updating. The script is under below. It is mainly about updating the field which is with NULL into empty string. Seems not working for me. can anybody help me out?

$strSQL = "INSERT INTO SR ";  
$strSQL .="(DESC,ATTACH) ";  
$strSQL .="VALUES ";  
$strSQL .="('".$_POST["txtDesc"]."','".((SELECT $_POST["txtAttach"] FROM SR WHERE $_POST["txtAttach"] is NULL),"  ")."')";

What error you are receiving? It is not clear what you want. Where do you want to put `if`? Please update your question with this information and error. — Dalton Cézane, May 29 '18 at 21:21
The error is here: Parse error: syntax error, unexpected '$_POST' (T_VARIABLE) in C:\Program Files (x86)\Apache Software Foundation\Apache2.2\htdocs\submit\php_oracle_insert2.php on line 46 — Sunnie, May 29 '18 at 21:23
Please, unrelated, but look up PDO and bound parameters. Generating SQL directly from user input is dangerous. — Phil Cross, May 29 '18 at 21:23
It seems your select statement is not passed correctly, as string, to your strSQL variable... — Dalton Cézane, May 29 '18 at 21:25
Try this or something like this: `$strSQL = "INSERT INTO SR (DESC,ATTACH) VALUES ('${_POST['txtDesc']}','SELECT '${_POST['txtAttach']}' FROM SR WHERE '${_POST['txtAttach']}' is NULL')";` — Dalton Cézane, May 29 '18 at 21:36
@Sunnie It opens your queries to SQL Injection. For example, there's nothing to stop a user posting ``, then when it's saved to your database, whenever the record is retrieved and run in the browser, the javascript will be run as well. Thats the most basic example i can write in a comment. see: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Phil Cross, May 29 '18 at 21:38
try to simplify (and make it less error prone) your fourth line of the $strSQL concatenation by putting $_POST variables in short, clean variables like e.g. $txtDesc = $_POST["txtDesc"] and then inserting that into the query: $strSQL .= "('$txtDesc', ... etc. And yes, I think SQL injection is a subject you may need to dive into as well... — lovelace, May 29 '18 at 21:39

Plixxer · Answer 1 · 2018-05-29T21:51:42.727

0

The issue here is with your syntax.

<?php
$strSQL = "INSERT INTO SR ";  
$strSQL .="(DESC,ATTACH) ";  
$strSQL .="VALUES ";  
$strSQL .="('".$_POST["txtDesc"]."','".((SELECT $_POST["txtAttach"] FROM SR WHERE $_POST["txtAttach"] is NULL),"  ")."')";

should be:

$strSQL = "INSERT INTO SR ";  
$strSQL .="(DESC,ATTACH) ";  
$strSQL .="VALUES ";  
$strSQL .= "('".
    $_POST["txtDesc"] ."','" .
    "(
        (
            SELECT " . $_POST["txtAttach"] . 
            " FROM SR WHERE " .  
            $_POST["txtAttach"] . 
            " is NULL
        )
    )
)";

your code is highly unreadable. i will make an edit to my post once i rewrite.

edited May 29 '18 at 21:51

answered May 29 '18 at 21:38

Plixxer

466
4
15

so many double quote flags, why not assign variables and make your life easier – samezedi May 29 '18 at 21:40
Using PHP's NOWDOC syntax would definitely make the SQL a lot easier to read: https://blogs.oracle.com/opal/php-53-quotnowdocsquot-make-sql-escaping-easier – Christopher Jones Jun 04 '18 at 05:14
@ChristopherJones this is preference, and i strongly disagree. – Plixxer Jun 04 '18 at 07:24

Insert into table values with if condition with $_Post variable

1 Answers1