$_POST['myVar'] in where clause

dotJoon · December 1, 2010, 11:20pm

[b]code[/b]
$query="select id from myTable1 where title='$_POST[COLOR="Red"]
([/COLOR]'$myVar'[COLOR="red"])[/COLOR]' " ;
echo $query;


[b]result[/b]
select id from myTable1 where title='Array('title1')'

For putting $_POST variable in where clause, I don’t know which is correct between parenthesis in the above and braket in the below?

[b]code[/b]
$query="select id from myTable1 where title='$_post[COLOR="red"][[/COLOR]'$myVar'[COLOR="red"]][/COLOR]' " ;
echo $query;

[b]result[/b]
Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING 
or T_VARIABLE or T_NUM_STRING

How can I make the result "select id from myTable1 where title=‘title1’ "?

system · December 1, 2010, 11:28pm

the square brackets are the correct ones.

you also need to escape the single quotes as someone suggested to you in another thread earlier today or concatenate strings to build the final query (my preference)

 
$query="select id from myTable1 where title='".$_post['$myVar']."' " ;

also ‘$myVar’ would need to be the name of the html form element the data is coming from.

are you sure you don’t mean just ‘myVar’?

dotJoon · December 1, 2010, 11:56pm

I have the code above in DBaction3-3.php, it will be reached from http://dot.kr/x-test/todbAction3-3.php.
The result of it is "select id from myTable1 where title=‘’ instead of "select id from myTable1 where title=‘title1’ "?

cranial_bore · December 2, 2010, 12:02am

Firstly, you don’t seem to have any SQL Injection prevention. Using user-submitted values directly in your queries is a big problem.
It should look something like this:


$title = mysql_real_escape_string($_POST['myVar']);
$query = "SELECT id, FROM myTable1 WHERE title='$title' ";

Which sort of solves your second problem because referring to $title inside a string is a lot simpler than referring to $_POST[‘title’];

But, FYI if you ever do need to use an associative array value in a string you have these options:


/* no single quotes required around 'name'
because the string is wrapped in double quotes
and the variable will be parsed */
$myString = "Hello $_POST[name], how are you?";

/* single quotes required when using curly
brackets to isolate the variable */
$myString = "Hello {$_POST['name']}, how are you?";

/* concatenate */
$myString = 'Hello ' . $_POST['name'] . ', how are you?';

system · December 2, 2010, 12:03am

that means either $_post[‘$myVar’] is not set or = an empty string.

the next debugging step is to find where $_post[‘$myVar’] is actually assigned a value.

what is $myVar and where is it created?

is it the name of a html form element?

system · December 2, 2010, 12:04am

hint: from your posted link code

 
<FORM ACTION="DBaction3-3.php" method="post">
<input type="text" name="myVar" value="title1">
<input type="submit">
</form>

system · December 2, 2010, 12:09am

Off Topic:

you make a very valid point, but I get the impression the OP’s situation is just a learning exercise and not a real life application.

He probably needs to stick to the KISS principle atm until he can at least successfully pass form data to a script.

dotJoon · December 2, 2010, 12:09am

Thank you for making me considering about that.
I’ll make the Injection prevention after I can do selecting, updating, inserting etc .

system · December 2, 2010, 12:12am

another hint from earlier

also ‘$myVar’ would need to be the name of the html form element the data is coming from.

are you sure you don’t mean just ‘myVar’?

dotJoon · December 2, 2010, 12:16am

The link above " http://dot.kr/x-test/todbAction3-3.php " has the code below.

<!doctype html>
<html> 
  <head>
    <meta charset="UTF-8">
    <title>dbAction3-3</title>
  </head>
<body>
<FORM ACTION="DBaction3-3.php" method="post">
<input type="text" name="myVar" value="title1">
<input type="submit">
</form>
</body>
</html>

The result says "select id from myTable1 where title=‘’ " instead of "select id from myTable1 where title=‘title1’ "

I don’t know what’s wrong with it.

[b]dbAction3-3[/b]

<!doctype html>
<html> 
  <head>
    <meta charset="UTF-8">
    <title>dbAction3-3</title>
  </head>

<body>
<?php
$con = mysql_connect("localhost","*******","*******");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("test", $con);
mysql_query("SET NAMES utf8");
$query="select id from myTable1 where title='".$_post['$myVar']."' " ;
echo $query;

mysql_close($con);
?>

</body>
</html>

And I have myTable1 in “test” like the following.

[b]data in myTable1[/b]
([COLOR="Blue"]id) title[/COLOR]
 1   title1
 2   title2

system · December 2, 2010, 12:20am

I have virtually told you the answer to yuor probelm with

also ‘$myVar’ would need to be the name of the html form element the data is coming from.

are you sure you don’t mean just ‘myVar’?

let me put it another way.

look at the name of your texbox in your html form and the name of the key in $_post[‘$myVar’]
the name of the textbox and the name of the $_POST key must be the same

cranial_bore · December 2, 2010, 12:27am

dotJoon you don’t need $_post[‘$myVar’]
$_POST should be capitalized and the array key is myVar NOT $myVar.
The name of the form field is myVar, so that is the key it will have in $_POST.

You can check the structure of your POST array by doing:


var_dump($_POST);

dotJoon · December 2, 2010, 12:29am

<!doctype html>
<html> 
  <head>
    <meta charset="UTF-8">
    <title>dbAction3-3</title>
  </head>
<body>
<FORM ACTION="DBaction3-3.php" method="post">
<input type="text" [COLOR="Red"]name="myVar"[/COLOR] value="title1">
<input type="submit">
</form>
</body>
</html>

system · December 2, 2010, 12:30am

I have to go shortly, so I’ll just give you the answer.

[I]

 [I]$query="select id from myTable1 where title='".$_POST[[COLOR=red]'myVar'[/COLOR]]."' " ;[/I]

[/I]

dotJoon · December 2, 2010, 12:34am

I changed it like the following.
You can reached the page below from http://dot.kr/x-test/toDBaction3-4.php .

<!doctype html>
<html> 
  <head>
    <meta charset="UTF-8">
    <title>dbAction3-4</title>
  </head>
<body>
<?php
$con = mysql_connect("localhost","*******","********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("test", $con);
mysql_query("SET NAMES utf8");
$query="select id from myTable1 where title='".$_[COLOR="Red"]POST[/COLOR]['$myVar']."' " ;
echo $query;
mysql_close($con);
?>
</body>
</html>

cranial_bore · December 2, 2010, 12:37am

jotJoon you still have a dollar sign in front of $myVar near where you have highlighted POST in red. You even quoted my post where I said not to use $myVar
Like Kalon and I said you need to remove that dollar sign. You’re referring to an array key, not a variable.

dotJoon · December 2, 2010, 12:38am

See you later. have a good day/night.

dotJoon · December 2, 2010, 12:41am

I did it in http://dot.kr/x-test/todbAction3-5.php , I guess I made the result what I want with your help.

system · December 2, 2010, 12:46am

it doesn’t matter if you use ‘myVar’ or ‘$myVar’ as long as they are the same in both the textbox name and the $_POST key.