Insert Query Problem

Forum Moderators: coopster

Message Too Old, No Replies

Insert Query Problem

How do I insert an extra field

ecnaralc

9:34 am on Apr 29, 2009 (gmt 0)

My question is:
I am using a select query to get some data in an option box.
I want to be able to copy over to the main database another field as well as the ID.
The name shows on the data entry webpage.
When the new data is saved, it carries the ID field over to the main database.
Can anyone tell me how to get the name to copy over to the main database using
the code below.. please.
Wayne

<select name="section" id="section">
<option value="0">Select Section</option>
<?PHP // Generate a drop-down list of sections.

$result = $connector->query('SELECT ID,name FROM cmssections ORDER BY name');

// Get an array containing the results.
// Loop for each item in that array
while ($row = $connector->fetchArray($result)){
echo '<option value="'.$row['ID'].'">'.$row['name'].'</option>';
}
?>
</select>

insert query is : $query = "INSERT INTO articles (title, content, tagline, section, timestamp, updated) VALUES ('$title', '$content', '$tagline', '$section', NOW(), NOW())";

punisa

10:05 am on Apr 29, 2009 (gmt 0)

You mean you want to insert $row['name'] into DB once the user selects it in the drop-down list?
You should wrap your select in form tag and have produced GET or POST for DB entry.

If this is indeed what you are looking for, I can write you a simple code for it.
Maybe it would help if you post your entire code..

ecnaralc

10:39 am on Apr 29, 2009 (gmt 0)

Hi!
I want to post the "name" as well as the "id" in the select section at the bottom of the code.. hope this is more clearer.. I would like to stay with this code if possible, as it seems to have some security
Wayne
<?php include('../includes/connector.php');?>
<?php

$connector = new DbConnector();
if(isset($_POST['save']))
{
$title = $_POST['title'];
$tagline = $_POST['tagline'];
$section = $_POST['section'];
$content = $_POST['content'];
$updated = $_POST['updated'];

if(!get_magic_quotes_gpc())
{
$title = addslashes($title);
$tagline = addslashes($tagline);
$section = addslashes($section);
$content = addslashes($content);
$updated = addslashes($updated);
}

$query = "INSERT INTO articles (title, content, tagline, section, timestamp, updated) VALUES ('$title', '$content', '$tagline', '$section', NOW(), NOW())";
mysql_query($query) or die('Error ,query failed');

echo "Article '$title' added";
}
?>
<form method="post">
<table width="700" border="0" cellpadding="2" cellspacing="1" class="box" align="center">
<tr>
<td width="100">Title</td>
<td><input size="50" maxlength="60" name="title" type="text" class="box" id="title"></td>
</tr>

<tr>
<td width="100">Tagline</td>
<td><input size="50" maxlength="250" name="tagline" type="text" class="box" id="tagline"></td>
</tr>

<tr>
<td width="100">Section</td>
<td><select name="section" id="section">
<option value="0">Select Section</option>
<?PHP
// Generate a drop-down list of sections.
$result = $connector->query('SELECT ID,name FROM cmssections ORDER BY name');

// Get an array containing the results.
// Loop for each item in that array
while ($row = $connector->fetchArray($result)){
echo '<option value="'.$row['ID'].'">'.$row['name'].'</option>';
}
?>
</select>
<td width="100">Content</td>
<td><textarea name="content" cols="115" rows="35" class="box" id="content"></textarea></td>
</tr>
<tr>
<td width="100"> </td>
<td> </td>
</tr>
<tr>
<td colspan="2" align="center"><input name="save" type="submit" class="box" id="save" value="Save Article"></td>
</tr>
</table>
</form>

punisa

2:26 pm on Apr 29, 2009 (gmt 0)

Hello friend, thanks for posting code, it's much easier too see stuff then :)

Usually POST will just get the value from your selected item, I don't know a way to get the name out. At least not in some conventional way, perhaps there is a better solution, but here is my reccomendation:


<?php include('../includes/connector.php');?>
<?php
$connector = new DbConnector();
if(isset($_POST['save']))
{
$title = $_POST['title'];
$tagline = $_POST['tagline'];
// HERE we have two new variables now that show id and name, you can try and echo them out to see if all is ok
// Of course, you would change the code down in $query from $section to $section_id and add one for $section_name[1][b]
$section_parts = explode("ttt11ttt",$_POST['section']);
$section_id = $section_parts[0];
$section_name = $section_parts[1];[/b][/1]
$section = $_POST['section'];
$content = $_POST['content'];
$updated = $_POST['updated'];
if(!get_magic_quotes_gpc())
{
$title = addslashes($title);
$tagline = addslashes($tagline);
$section = addslashes($section);
$content = addslashes($content);
$updated = addslashes($updated);
}
$query = "INSERT INTO articles (title, content, tagline, section, timestamp, updated) VALUES ('$title', '$content', '$tagline', '$section', NOW(), NOW())";
mysql_query($query) or die('Error ,query failed');
echo "Article '$title' added";
}
?>
<form method="post">
<table width="700" border="0" cellpadding="2" cellspacing="1" class="box" align="center">
<tr>
<td width="100">Title</td>
<td><input size="50" maxlength="60" name="title" type="text" class="box" id="title"></td>
</tr>
<tr>
<td width="100">Tagline</td>
<td><input size="50" maxlength="250" name="tagline" type="text" class="box" id="tagline"></td>
</tr>
<tr>
<td width="100">Section</td>
<td><select name="section" id="section">
<option value="0">Select Section</option>
<?PHP
// Generate a drop-down list of sections.
$result = $connector->query('SELECT ID,name FROM cmssections ORDER BY name');
// Get an array containing the results.
// Loop for each item in that array
while ($row = $connector->fetchArray($result)){
echo '<option value="'. [1][b]$row['ID'].'ttt11ttt'.$row['name'][/b] [/1].'">'.$row['name'].'</option>';
}
?>
</select>
<td width="100">Content</td>
<td><textarea name="content" cols="115" rows="35" class="box" id="content"></textarea></td>
</tr>
<tr>
<td width="100">&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td colspan="2" align="center"><input name="save" type="submit" class="box" id="save" value="Save Article"></td>
</tr>
</table>
</form>

- the "ttt11ttt" is just a random separation string used to divide the id and name part, after post id being made it gets separated and ready for use.
- do test the code before using it, as I can't test it from here (I'm at work)
-you need to change the
$query = "INSERT INTO articles (title, content, tagline, section, timestamp, updated) VALUES ('$title', '$content', '$tagline', '$section', NOW(), NOW())";
part, because $section has now became $section_id, I didn't wanna mess with your code, I'll leave you to that :)

-a friendly suggestion: I'd use mysql_real_escape_string() instead of addslashes(), from my personal experience I believe it is much more secure : D
- CSS is the word : D

Hope all works out fine !

ecnaralc

12:54 am on Apr 30, 2009 (gmt 0)

G'day mate.
Thanks punisa for your help, it all seems to be working fine, I had to make a couple of changes as you indicated.
Regards
Wayne

ecnaralc

1:29 am on Apr 30, 2009 (gmt 0)

Hello punisa..
Just a question on "addslashes()" - you recommend using mysql_real_escape_string() - I have changed to this.

Can you tell me the code to use for stripslashes() - is it the same code for "addslashes()"..
Regards
Wayne

punisa

10:56 am on Apr 30, 2009 (gmt 0)

Hi, glad that code worked for you : )
I don't use addslashes and stripslashes really, so your best bet is to test it yourself :)
As for "mysql_real_escape_string()", its a good practise to run all data that you insert into DB through that code.

It's a protection against security issues and vulnerabilities, if you insert data as it is, without checking it before by using mysql_real_escape_string() or other methods you expose yourself to dangerous hackings like "sql injection". In simple terms, a hacker can use your unsecured forms and delete your whole database, it happened to many people, so better be safe then sorry !