Passing a variable from a form to a MySql query

Forum Moderators: coopster

Message Too Old, No Replies

Passing a variable from a form to a MySql query

It's got to be something simple (I hope)

melinda64

9:42 am on Jun 14, 2007 (gmt 0)

I have a form set up with a dropdown list of values for a field "manufacturer" in my database
I can pass the variable to my php script. I know this because I use:

$manufacturer = $_POST['manufacturer'];

echo "<h1> Query result for manufacturer = ","$manufacturer", "</h1>";

And the page prints the appropriate value chosen from the form.

I'm trying to use the $manufacturer variable in a mysql query to select records which match.

My mysql query works when I use the following code:

$result = mysql_query("SELECT * FROM serialtest WHERE manufacturer = 'Yamaha'") or die(mysql_error());

but not when I add the $_POST[manufacturer] value in place of 'Yamaha'

The error I get is: "Unknown column 'Yamaha' in 'where clause'"
Is it my syntax?

Many thanks for any help you can give.

Mark

Habtom

10:34 am on Jun 14, 2007 (gmt 0)

Hi Mark,

Welcome to Webmasterworld.

I)
Try putting it this way:

$result = mysql_query("SELECT * FROM serialtest WHERE manufacturer = '". $_POST[manufacturer] ."'") or die(mysql_error());

II)
Number I should work, but I could have done the security check as well at this stage:

$manufacturer_cleaned = strip_tags($_POST[manufacturer]);
and the related functions.
$result = mysql_query("SELECT * FROM serialtest WHERE manufacturer = '$manufacturer_cleaned'") or die(mysql_error());

III)
Something not related to that question,
As a performance tip, unless you need to use all the fields in that table it is always good to mention the field names, like:

SELECT field1, field2 FROM table1

Habtom