dynamical POST value

Forum Moderators: coopster

Message Too Old, No Replies

dynamical POST value

dynamical post value

martinpalkovic

3:28 pm on Aug 19, 2011 (gmt 0)

Hi,

I have a little problem. I have form:
<input name="0" type="text" value="1">
<input name="1" type="text" value="2">
<input name="2" type="text" value="3">

than, I should save values from input to Mysql.

Code from php:

$value = $_POST["".$i.""];

$prikaz = "INSERT INTO cennik_moduly (limit,id_modulu,variant) VALUES ('$value','$id_moduly','$_POST[id]')";
$resultx = mysql_query($prikaz) or die (mysql_error());

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'limit,id_modulu,variant) VALUES ('1','1','')' at line 1

Mysql show value and cannot save to database. If I delete row limit value from code, script is OK.

Can you help me? Thank you :-)

rocknbil

5:48 pm on Aug 19, 2011 (gmt 0)

Welcome aboar martinpalkovic . . .

Limit is a reserved word in mysql and is used as such:

select title from table limit 12;

You **should** avoid these and other reserved words as column names but never fear - enter the backtick (not QUOTE, backtick) and all should be well.

$prikaz = "INSERT INTO `cennik_moduly` (`limit`,`id_modulu`,`variant`) VALUES ('$value','$id_moduly','$_POST[id]')";

The other problem is the array reference inside double quotes. It will always be empty like that. Look at the error statement: See how "_POST['id']" is empty?

use near 'limit,id_modulu,variant) VALUES ('1','1','')' at line 1

You have to concatenate to get the value:

$prikaz = "INSERT INTO `cennik_moduly` (`limit`,`id_modulu`,`variant`) VALUES ('$value','$id_moduly','" . $_POST[id] . "')";

You also should learn to cleanse/check data before input. Using direct input in your database leaves it open for injection. One simple solution in this case, assuming id is numeric,

if (isset($_POST['id']) and is_numeric($_POST['id']) and ($_POST['id'] > 0)) {
// Do your code here
}
else {
die("Invalid ID has been passed to the script");
}

penders

11:11 pm on Aug 19, 2011 (gmt 0)

$value = $_POST["".$i.""];

Why the string concatenation? It looks like you are doing some implicit type conversion? However, this is unnecessary IMO, just use

$_POST[$i]

. Even though $i might be an integer and your array indices are strings, PHP will handle the type conversion OK. HOWEVER, '0', '1' and '2' are not valid NAME attribute values. They should at least begin with a letter. 6.2 SGML basic types - ID and NAME [w3.org]

rocknbil:
$prikaz = "INSERT INTO `cennik_moduly` (`limit`,`id_modulu`,`variant`) VALUES ('$value','$id_moduly','$_POST[id]')";
The other problem is the array reference inside double quotes. It will always be empty like that.

Actually, this syntax looks OK to me. Providing $_POST['id'] does indeed have a value. However, for the security issue mentioned, whether you should do this or not is another matter.

$value = 'ONE'; 
$id_moduly = 'TWO'; 
$_POST['id'] = 'THREE';  // 'id' (array index) must be quoted here 
// 'id' (array index) must not be quoted whilst variable parsing using simple syntax 
$prikaz = "INSERT INTO `cennik_moduly` (`limit`,`id_modulu`,`variant`) 
VALUES ('$value','$id_moduly','$_POST[id]')"; 
echo $prikaz;

Outputs:

INSERT INTO `cennik_moduly` (`limit`,`id_modulu`,`variant`) VALUES ('ONE','TWO','THREE')

rocknbil

4:20 pm on Aug 22, 2011 (gmt 0)

Ah . . so used to seeing this

$_POST['id']

which would not work, but this

$_POST[id]

will.

dynamical POST value

dynamical post value

martinpalkovic

rocknbil

penders

rocknbil

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week