Insert form value into SQL query with jquery or javascript

Question

I have the following fields in a form. The page uses .Net and MS SQL

<input type="text" name="Title" id="Title" />
<input type="text" name="FirstName" id="FirstName" />
<input type="text" name="LastName" id="LastName" />

I'd like to be able to grab these values and write them into an SQL query further down on the same form...

SELECT LastApp, 
FROM   kb_xmod_modules 
WHERE  infby1 = 'Dr Brian Cox'

In this example, Dr Brian Cox would be replaced by whatever values are entered in Title, FirstName & LastName

If anyone has any ideas, that would be great...

Thanks

By "SQL query" do you mean "A string of text in a textbox in the form which could be evaluated as an SQL query"? — Quentin, Mar 22 '11 at 07:26
you can do it with simple string manipulation, but the fact is, what will you do after you get the sql query ready? wont you pass it to a php script? — Sujit Agarwal, Mar 22 '11 at 07:26
be aware of sql injection. you should use a prepared statement. — bw_üezi, Mar 22 '11 at 07:36
pls don't build the SQL query in Javascript, do the job server-side. — Luca Filosofi, Mar 22 '11 at 11:47
see this similar [question](http://stackoverflow.com/q/5393092/397667) — bw_üezi, Mar 22 '11 at 15:02

score 1 · Answer 1 · answered Mar 22 '11 at 11:50

<form id="myForm">
<input type="text" name="Title" id="Title" />
<input type="text" name="FirstName" id="FirstName" />
<input type="text" name="LastName" id="LastName" />
<input type="submit"/>
</form>

$(function() {
   $('#myForm').submit(function(){
      var query = $(this).serialize();
      $.post("post.php", query);
      return false;
  });
});

now your post.php page will receive $_POST values like this:

$_POST['FirstName'] . $_POST['LastName'] .  $_POST['Title']

so

SELECT LastApp, 
FROM   kb_xmod_modules 
WHERE  infby1 = '".mysql_real_escape_string($_POST['FirstName'].' '.$_POST['LastName'])."'

+1 for moving SQL construction to the server; pity OP is using .net and not PHP. :-) — Martijn, Mar 22 '11 at 13:38

score 0 · Answer 2 · answered Mar 22 '11 at 07:33

0

You need to do this for the where clause:

WHERE infby1 = "'" + $('Title').val() + " " + $('FirstName').val() + " " + $('LastName').val() + "'"

Havnt tested it but that should do the trick.

answered Mar 22 '11 at 07:33

Elad Lachmi

10,406
13
71
133

bw_üezi · Answer 3 · 2011-03-22T11:42:44.933

0

you should not expose SQL to the client by creating the SQL string with javascript or jQuery on the client. this sort of task has to be done server side. example of SQL injection is if one your input fields has a text like

a';DROP TABLE `kb_xmod_modules`; SELECT * FROM `kb_xmod_modules` WHERE 't' = 't

escaping in your input ' with '' is one way to avoid sql injection. Prepared sql statement is the other solution.

You should specify in what environment you are programming your project. What's your programming language?

edited Mar 22 '11 at 11:42

answered Mar 22 '11 at 07:59

bw_üezi

4,483
4
23
41

Thanks but not so experienced in SQL - would you be able to explain how I could achieve this with in a statement? – Willb Mar 22 '11 at 10:36
Essentially I'm on ASP.Net and MS SQL although things get a little complicated as I'm working with a Forms module for the DotNetNuke framework, however I seem to be managing to cater for this with my querys (so far!) – Willb Mar 22 '11 at 12:14
@Willb can't help with ASP.Net but you should add this information to your question by editing it and also retag. – bw_üezi Mar 22 '11 at 14:55

Insert form value into SQL query with jquery or javascript

3 Answers3