|insert data in mysql|
| 7:47 am on Dec 3, 2010 (gmt 0)|
|Here's a basic rundown of my code: |
<form action="http://www.test.com/insert-data.php" method="post">
<select onchange="house(form)" name="houses">
<option selected="selected" value="100000" >House 1</option>
<option value = "80000" >House 2</option>
<option value= "300000" ">House 3</option>
<input name="cost" type="text" class="textbox"/>
<input name="submit" type="submit" value="Submit" /></form>
|In essence, what this code does is it creates a table with a dropdown menu of 3 houses, each one with a different value. |
Now i am using this php code to store the values in a mysql database.
mysql_connect("localhost", "user", "pass") or die(mysql_error());
mysql_select_db("data1") or die(mysql_error());
$houses = $_POST["houses"];
mysql_query("INSERT INTO test(houses) values('$houses') ")
Thanks for your help
|Now what i would like to do is to store both the value and the name of the selection made by the user. For example, if the user selects the first option, the data stored in the database is only 100000. How can i modify my php or the html code from the form to be able to insert the 100000 and also House 1 into the database. I need both values to be passed on to my database. |
| 5:25 pm on Dec 3, 2010 (gmt 0)|
One way would be to change the value from "100000" to "100000,House 1" then parse out the values before inserting into the DB.
| 6:40 pm on Dec 3, 2010 (gmt 0)|
Make sure you clean up the post value to check for SQL injection. It would be very easy to use Mozilla's Firebug to cut off your insert statement and drop your table.
| 11:27 pm on Dec 3, 2010 (gmt 0)|
| 11:32 pm on Dec 3, 2010 (gmt 0)|
Then you can either:
| 1:08 am on Dec 4, 2010 (gmt 0)|
obj = form.ac.options[form.ac.selectedIndex].value;
objects = obj.split(',');
ac = parseInt(objects);
I'd use something besides a comma, but if you relibly have no commas in your numbers . . . should work.
| 4:50 am on Dec 4, 2010 (gmt 0)|
If you're unfamiliar with the term "SQL injection", read StoutFiles's post 5 times, then do a web search on "SQL injection".
If your versions of PHP and MySQL are high enough to support it, have a look at the object-oriented methods of PHP's "mysqli" extension and its "prepared statements" methods (instead of using the PHP "mysql" extension). Study and use their example code (such as at [us2.php.net...] ) to create the methods you can use from now on for your PHP/MySQL coding. If you create safe and reliable procedures now and make them a habit, you'll save having to run through your site correcting poor coding after having your site get hacked.