Jump to content

Putting variable into table's name??? Please take a look.


Recommended Posts

I have a dropdown menu

 

<td width="148" height="35" valign="top"><b>Type: </b> </td>	
            <td><select name ="tabledrop">
			<option value="goggles">goggles</option>
			<option value="headbands">headbands</option>
			 <input type='hidden' id='tabledrop' name='tabledrop' value = ''/>
			</select>
			</td>

 

those 2 options are actually names of my tables.

 


 

I tried this and got some syntax error.

 

$type = $_POST['tabledrop'];
$item = $_POST['goggles_name'];
$price = $_POST['goggles_price'];
$file = $_FILES['goggles_image']['name'];

$query = "INSERT into $type SET [$type]_name = '$item' , [$type]_price = '$price' , [$type]_image = '$file'";

Don't ever do this like this.  Don't let your users directly determine your database inserts.  What if someone altered these POST values so that they were granting themselves permissions on your database?  What if they made 'tabledrop' into "mysql.users (username, password) VALUES ('haha', 'hackedYou');#"

 

Always ALWAYS sanitize user input.  For this operation, that means ensuring that the table name is part of the valid list of table names, and running EVERYTHING through mysql_real_escape_string.

 

Also, your answer is that [] is not the right way to surround variables inside strings, you want {}

 

-Dan

ahha yeah , it's actually for the admin but i'll note of that.

 

I tried

 

$query = "INSERT into $type SET {$type}_name = '$item' , {$type}_price = '$price' , {$type}_image = '$file'";

 

Got this though

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET _name = 'wx' , _price = 'de' , _image = 'a7x.jpg'' at line 1

Yeah , I think my tabledrop is not passed to the next form.

 

Is there something wrong with this?

 

<td><select name ="tabledrop">
			<option value="goggles">goggles</option>
			<option value="headbands">headbands</option>
</select>
<input type='hidden' id="tabledrop" name="tabledrop" value = ""/>

 

the upload page

 

$type = $_POST['tabledrop'];

 

Going back a bit:

ahha yeah , it's actually for the admin but i'll note of that.
That doesn't mean someone can't get access to it.  Are you absolutely certain nobody else can break into this page?  Your site security should be complete, through every layer of the site, not just at the edges or the easiest entry points.

 

Glad you got the rest of it sorted.

 

-Dan

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.