Welcome to Webmaster World, shimeal!

First, you have to connect and select the database:

mysql_connect() [php.net];
mysql_select_db() [php.net];

Then, query the db:
$query = "SELECT price FROM tablename WHERE cartridge_model1 = '".$_POST[cartridge_model]."'";
$result = mysql_query() [php.net];

Then you can get the value using:
mysql_result() [php.net];

Use the links above as references and check out this mySQL tutorial [mysql.com] as well.

Birdman

Birdman,

Thank you for the quick response! I am still confused, however, so I am going to post my code and see if an obvious problem exists (note: I am using DWMX). Here it is:

<?php require_once('Connections/C4C_USA_Jan_1_2004.php');?>
<?php
mysql_select_db($database_C4C_USA_Jan_1_2004, $C4C_USA_Jan_1_2004);
$query_check_test = "SELECT * FROM cartridge_price";
$check_test = mysql_query($query_check_test, $C4C_USA_Jan_1_2004) or die(mysql_error());
$row_check_test = mysql_fetch_assoc($check_test);
$totalRows_check_test = mysql_num_rows($check_test);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php echo $_POST['cartridge_brand1'];?>
<?php echo $_POST['cartridge_number1'];?>
<?php
$query = "SELECT price_number FROM cartridge_price WHERE name_number = '".$_POST['cartridge_price1']."'";
$result = mysql_query();
echo mysql_result[$price_number, ''];
?>
<?php echo $_POST['quantity1'];?>
</body>
</html>
<?php
mysql_free_result($check_test);
?>

Any help would be appreciated. In order to clarify the above code, let me point this out: I have 1 form on the previous page with 50 different text boxes and/or list/menus that all feed into this check_test.php. Check_test.php has to be able to take all of these different posts and convert some of these posts into their corresponding db values via queries and results. Any further help would be greatly appreciated...Thanks!

Sorry, I should have more clear. You were on the right track though.

make this change:

$result = mysql_query($query);
echo mysql_result($price_number, 0);

Birdman (or anyone else who might come across this),

I am picking up the following error message after your recommended changes.

Warning: mysql_result(): supplied argument is not a valid MySQL result resource in c:\phpdev\www\c4c_usa_jan_1_2004\check_test.php on line 22

I am sorry that I keep asking you to hold my hand thru this! The rest of my code is posted below:

<?php require_once('Connections/C4C_USA_Jan_1_2004.php');?>
<?php
mysql_select_db($database_C4C_USA_Jan_1_2004, $C4C_USA_Jan_1_2004);
$query_check_test = "SELECT * FROM cartridge_price";
$check_test = mysql_query($query_check_test, $C4C_USA_Jan_1_2004) or die(mysql_error());
$row_check_test = mysql_fetch_assoc($check_test);
$totalRows_check_test = mysql_num_rows($check_test);
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<?php echo $_POST['cartridge_brand1'];?>
<?php echo $_POST['cartridge_number1'];?>
<?php
$query = "SELECT price_number FROM cartridge_price WHERE name_number = '".$_POST['cartridge_price1']."'";
$result = mysql_query($query);
echo mysql_result($price_number, 0);
?>
<?php echo $_POST['quantity1'];?>
</body>
</html>
<?php
mysql_free_result($check_test);
?>

Line 22 is echo mysql_result($price_number, 0);

Any help you can supply is greatly appreciated. Thanks!

Try this...
echo mysql_result($result, 0);

Fantastic! That did the trick!

Hi shimeal,

I suspect there are two more grave problems with your design and implementation.

First, I can't be certain about your database structure without seeing the layouts, but the way you obtain the data doesn't make a whole lot of sense to me. Maybe it's just me but maybe it's a wrongly designed database. Not sure really.

Your other sin is importing an untrusted value directly into the database query. You don't in any way check or quote the value. This allows a malicious attacker to do pretty much whatever the hell they please with your database.

"Your other sin is importing an untrusted value directly into the database query. You don't in any way check or quote the value."

How would I check or quote the value?

You must make sure that the value of the variable is within acceptable bounds. Generally speaking, you make a simple check on the variable. For instance, if the variable is a key number for a product entry in the database, you know that the variable should be integer, non-empty and more than 0. Consequently,

$variable = trim($_POST['variable']);
if ($variable && is_integer($variable) && $variable > 0)
{ /* ... SQL .... */ }
else 
{ /* ... Error .... */

This check is a simple case, but when you don't have a simple way to define a constraint on input and need to "just" put the value in the database, or don't have error handler handy, you will need quoting.

Quoting is trickier, because it's often database specific. Generally speaking, an SQL injection attack goes as follows:

You have a statement in your code like this:

$res = mysql_query ("select * from widgets where widget_type='$_POST['widgettype']");

An attacker calls your page, placing the following in $_POST[widgettype]:

' or ''='

So your SQL calculates to the following:

select * from widgets where widget_type='' or ''=''

Now the attacker can view all your widgets, as your query would return them all. Or, imagine what happens if, say, the code that attacker injects looks like

'; DELETE from widgets; select '

This problem exists because you are not quoting (or "escaping") the input; that is, you are allowing the variable to break out of bounds of where it's meant to be (between single quotes). I deliberately wrote the code above so that it won't work out of the box, but now that you get the idea, you should look at addslashes(), preg_replace() and other functions that can help you assure that the variable is in a certain definite shape.