[SOLVED] Using $_POST[''] Variable in a SQL Query

[jjacquay712]

I am having trouble getting a user entered variable into a query.

 

here is my code:

 

mysql_query("CREATE TABLE " . $_POST['name'] .  " (" . $_POST['email'] .  " varchar)") or die("Could not Create Table");

 

it always prints the error message "Could not Create Table"

 

any suggestions in the syntax for entering user variables?

 

Thanks for the help, John

[DarkWater]

Change the die clause to:

 

die(mysql_error()) so you can see what's going on.

[jjacquay712]

it gives me this error message

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 1

[discomatt]

Well, you want to match a very strict set of values... soo using a regex like

 

if (  preg_match( '/[^\w-]/', $_POST['name'] ) || preg_match( '/[^\w@.-]/', $_POST['email'] )  )
    # Found something that wasnt a letter, number, underscore or dash! ( @ and . allowed in email )
    exit( 'Invalid characters used' );

 

Second, varchar must have a length, i believe

 

# Assuming it passes the regex above
$q = <<<QDOC
CREATE TABLE `{$_POST['name']}` (
    `{$_POST['email']}` VARCHAR( 255 )
)
QDOC;

mysql_query($q);

 

 

[jjacquay712]

im not worryed about someone hacking it, i just need to figure out how to get that variable in to the query. ill try using a value for varchar

[Psycho]

Change the die clause to:

 

die(mysql_error()) so you can see what's going on.

 

Better yet, create your query as a string so you can echo it to the page when there is an error:

 

<?php

$query = "CREATE TABLE " . $_POST['name'] .  " (" . $_POST['email'] .  " varchar)";

mysql_query($query) or die("Could not Create Table<br>Query: $query<br>Error: ".mysql_error());


?>

[jjacquay712]

good thinking, ill try that

[discomatt]

Read my second example. The answer is there.

[jjacquay712]

Read my second example. The answer is there.

 

ok thanks, ill check it out