1

I have a form with multiple checkboxes where a user selects column names from a view in my database.

The form has action of 'post'. Once submitted I want to select the columns they have chosen

How can I list the POST variables in a comma separated list and then add them to my select statement

Something along the lines of:

 foreach($_POST as $key => $value) {  }
Designer
  • 477
  • 2
  • 12
  • 2
    What you are trying to do is ***highly insecure*** and not recommended at all! – Qirel May 21 '19 at 20:14
  • 1) `mysql_query()` and its related functions are **very** out of date. 2) read the docs on [PDO](https://www.php.net/manual/en/book.pdo.php) and [Prepared Queries](https://www.php.net/manual/en/pdo.prepare.php) – Nicholas Summers May 21 '19 at 20:17
  • The question is rather *why* you want this - there are probably others, and far better, ways to achieve it. – Qirel May 21 '19 at 20:19
  • Open to suggestions, can I ask why this is so insecure? My aim is to allow users to report on SQL data – Designer May 21 '19 at 20:22
  • On SQL injection:https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php –  May 21 '19 at 20:25
  • 1
    At the very least, you have to verify that the name of the column exist, and that its valid (so you create a whitelist, and use only elements in that list) - in addition to this, you should really stop using technology that has been removed. The `mysql_` library should not be used in new code! – Qirel May 21 '19 at 20:28
  • 1
    Put simply, it's very old and not maintained and prone to several issues. Unless you want to open your system to a lot of security issues, you need to look up a recent tutorial on how to use either PDO or MySQli to query a database; as well as what are some best practices for writing SQL queries in PHP. – Nicholas Summers May 21 '19 at 20:28

0 Answers0