dwex Posted November 30, 2010 Share Posted November 30, 2010 I have a dropdown menu <td width="148" height="35" valign="top"><b>Type: </b> </td> <td><select name ="tabledrop"> <option value="goggles">goggles</option> <option value="headbands">headbands</option> <input type='hidden' id='tabledrop' name='tabledrop' value = ''/> </select> </td> those 2 options are actually names of my tables. I tried this and got some syntax error. $type = $_POST['tabledrop']; $item = $_POST['goggles_name']; $price = $_POST['goggles_price']; $file = $_FILES['goggles_image']['name']; $query = "INSERT into $type SET [$type]_name = '$item' , [$type]_price = '$price' , [$type]_image = '$file'"; Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted November 30, 2010 Share Posted November 30, 2010 Don't ever do this like this. Don't let your users directly determine your database inserts. What if someone altered these POST values so that they were granting themselves permissions on your database? What if they made 'tabledrop' into "mysql.users (username, password) VALUES ('haha', 'hackedYou');#" Always ALWAYS sanitize user input. For this operation, that means ensuring that the table name is part of the valid list of table names, and running EVERYTHING through mysql_real_escape_string. Also, your answer is that [] is not the right way to surround variables inside strings, you want {} -Dan Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted November 30, 2010 Share Posted November 30, 2010 Always give the complete error message, instead of "some syntax error". You also have an error in your form, the "hidden" field should be outside the "<select>" definition. Ken Quote Link to comment Share on other sites More sharing options...
dwex Posted November 30, 2010 Author Share Posted November 30, 2010 ahha yeah , it's actually for the admin but i'll note of that. I tried $query = "INSERT into $type SET {$type}_name = '$item' , {$type}_price = '$price' , {$type}_image = '$file'"; Got this though You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET _name = 'wx' , _price = 'de' , _image = 'a7x.jpg'' at line 1 Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted November 30, 2010 Share Posted November 30, 2010 The value of $type is "" at the point where it's being used. Do you validate that you're getting the correct information from your form? Ken Quote Link to comment Share on other sites More sharing options...
dwex Posted November 30, 2010 Author Share Posted November 30, 2010 Yeah , I think my tabledrop is not passed to the next form. Is there something wrong with this? <td><select name ="tabledrop"> <option value="goggles">goggles</option> <option value="headbands">headbands</option> </select> <input type='hidden' id="tabledrop" name="tabledrop" value = ""/> the upload page $type = $_POST['tabledrop']; Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 30, 2010 Share Posted November 30, 2010 Why do you have two fields in a form with the same name attribute? Quote Link to comment Share on other sites More sharing options...
dwex Posted November 30, 2010 Author Share Posted November 30, 2010 oh mine , that was real noobish. Thanks alot for your help! It worked! You're really good at this. Quote Link to comment Share on other sites More sharing options...
ManiacDan Posted November 30, 2010 Share Posted November 30, 2010 Going back a bit: ahha yeah , it's actually for the admin but i'll note of that.That doesn't mean someone can't get access to it. Are you absolutely certain nobody else can break into this page? Your site security should be complete, through every layer of the site, not just at the edges or the easiest entry points. Glad you got the rest of it sorted. -Dan Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.