Php in side html drop down selects

Question

I'm trying to add results into a html dropdown.
The php works if I take it outside the html form: it shows the results, but I need it inside the form

<form><form method="post" action="selldo.php">
<label><br /><br /><br /><br />What slot do you want to Sell?</label>
<select name="pokeSLOT" id="pokeSLOT" style="width:150px;padding-left:5px;">
<option value=""></option>
<?php 
$result = mysql_query("SELECT * FROM user_pokemon 
                       WHERE belongsto='$_SESSION[username]'");

while($row = mysql_fetch_array($result))
{
  echo $row['id'] . " " . $row['pokemon'];
  echo "<br />";
}
?>

</select><br/><br/>
<label>Price You Would Like For The Pokemon?</label>
<input type="int" name="cost" id="cost" maxlength="30"/><br/><br/>
<button name="submit" type="submit" id="Submit_But">Sell</button>
<p>&nbsp;</p><p>&nbsp;</p>
</form>

When I look in the dropdown menu there is nothing but if it makes the SQL out of the form it posts the results to the page so it works fine I just need it in side the drop down html form

p.s i have the connect ontop of the page

score 2 · Accepted Answer · answered Oct 06 '11 at 10:48

2

You will need to echo out HTML option elements:

while($row = mysql_fetch_array($result)) {
    echo "<option>" . $row['id'] . " " . $row['pokemon'] . "</option>";
}

You will probably want to give the option elements a value so the selected option is passed along properly when the form is submitted.

answered Oct 06 '11 at 10:48

James Allardice

164,175
21
332
312

1

If you do it this way, you will have problems storing the id of the selected option. If you need to do that, see my answer. – markus Oct 06 '11 at 10:57
1

@James, what about the XSS security hole? I suggest replacing `$row['pokemon']` with `htmlentities($row['pokemon'])` ditto for `id` (although `intval($row['id'])` may be easier _(provided it's actually an int)_) – Johan Oct 06 '11 at 11:06

score 1 · Answer 2 · answered Oct 06 '11 at 10:53

Did you look at the source this code generates? You will find that your options are all there but just somewhere in the void, not wrapped by any html tags. You'll see something like:

<form>
<select>
<option></option>
your first option
your second option
your third option
your n'th option
</select>
</form>

But what you really need, for the markup to be correct, is this:

<option>your first option</option>
<option>your second options</option>

And so forth... that should be enough for you to get it right! If not...

echo '<option value="' . $row['id'] . '">' . $row['pokemon'] . '</option>';

score 1 · Answer 3 · edited May 23 '17 at 11:47

You have an SQL-injection hole and a possible XSS security hole:

Correct this by changing the php code to:

<?php  
$username = mysql_real_escape_string($_SESSION['username']);
$result = mysql_query("SELECT * FROM user_pokemon  
                       WHERE belongsto = '$username' "); 

while($row = mysql_fetch_array($result)) 
{ 
  $id = htmlentities($row['id']);
  $pokemon = htmlentities($row['pokemon']);
  echo '<option value = "$id"> $pokemon </option>'; 
} 
?>

See: What are the best practices for avoiding xss attacks in a PHP site
And How does the SQL injection from the "Bobby Tables" XKCD comic work?

Damien Pirsy · Answer 4 · 2011-10-06T11:37:53.903

0

You're not creating a select! you need the <option></option> tags for that, not just echo out your results...

<select name="pokeSLOT" id="pokeSLOT" style="width:150px;padding-left:5px;">
<option value=""></option>
<?php 
$username = mysql_real_escape_string($_SESSION['username']);
$result = mysql_query("SELECT * FROM user_pokemon WHERE belongsto='$username'");
while($row = mysql_fetch_array($result)) : ?>
<option value="<?php echo htmlentities($row['id']);?>"><?php echo htmlentities($row['pokemon']);?></option>
<?php endwhile;?>
</select>

edited Oct 06 '11 at 11:37

answered Oct 06 '11 at 10:50

Damien Pirsy

25,319
8
70
77

2

-1, you cannot leave a gaping SQL-injection and XSS hole in an answer. – Johan Oct 06 '11 at 11:04
@johan thanks, I just assumed $_SESSION was already escaped, but you were right on the XSS problem. I amended my code – Damien Pirsy Oct 06 '11 at 11:11

score -2 · Answer 5 · answered Oct 06 '11 at 10:50

-2

This should do the trick:

<select name="pokeSLOT" id="pokeSLOT" style="width:150px;padding-left:5px;">
<?php 
$result = mysql_query("SELECT * FROM user_pokemon WHERE belongsto = '$_SESSION[username]'");
while($row = mysql_fetch_array($result)) {    
echo "<option value=\"\">" . $row['id'] . " " . $row['pokemon'] . "</option>
?>
</select>

answered Oct 06 '11 at 10:50

Carlito

805
10
20

1

-1, you cannot leave SQL-injection in an answer. Because that makes it a dangerous answer, which is worse than something which does not work. – Johan Oct 06 '11 at 11:00
@Johan, thanks for pointing that out and providing a better answer which solves it. I'm learning everyday! – Carlito Oct 06 '11 at 11:06

Php in side html drop down selects

5 Answers5