Question
Issue when using $_POST['xyz'] in SELECT
REPOST:
The situation: Searching a small database with PHP/MySQL with DW8.0.2
1. I have a form where users can enter a name (or a portion of a name) and select which col in the db the name relates to. It POSTs the results to a seperate page to look up and display the result. The 2 form fields are name and column.
2. I have created a simple test page whereby I place the POST values for the fields into 2 vars ($name and $column)
3. I created a simple recordset:
SELECT *
FROM table3
WHERE $column LIKE '%$name%'
ORDER BY FamilyName ASC
which works perfectly. The recordset code is:
mysql_select_db($database_connConvictsMySQL, $connConvictsMySQL);
$query_rsConvicts = "SELECT * FROM table3 WHERE $col LIKE '%$name%' ORDER BY FamilyName ASC";
$rsConvicts = mysql_query($query_rsConvicts, $connConvictsMySQL) or die(mysql_error());
$row_rsConvicts = mysql_fetch_assoc($rsConvicts);
$totalRows_rsConvicts = mysql_num_rows($rsConvicts);
4. So with that in mind I attempted to use the $_POST values directly in the recordset using the Add Varianbles section and removed the vars I mentioned in 2 above. I thought this would provide a more secure, elegant solution as the code created adds in all the extra security code. I finished up with a recordset SQL as:
SELECT *
FROM table3
WHERE column LIKE %name%
ORDER BY FamilyName ASC
and the record set code created is:
$name_rsConvicts = "-1";
if (isset($_POST['enteredName'])) {
$name_rsConvicts = (get_magic_quotes_gpc()) ? $_POST['enteredName'] : addslashes($_POST['enteredName']);
}
$column_rsConvicts = "-1";
if (isset($_POST['selectedColumn'])) {
$column_rsConvicts = (get_magic_quotes_gpc()) ? $_POST['selectedColumn'] : addslashes($_POST['selectedColumn']);
}
mysql_select_db($database_connConvictsMySQL, $connConvictsMySQL);
$query_rsConvicts = sprintf("SELECT * FROM table3 WHERE %s LIKE CONCAT('%%', %s, '%%') ORDER BY FamilyName ASC", GetSQLValueString($column_rsConvicts, "text"),GetSQLValueString($name_rsConvicts, "text"));
$rsConvicts = mysql_query($query_rsConvicts, $connConvictsMySQL) or die(mysql_error());
$row_rsConvicts = mysql_fetch_assoc($rsConvicts);
$totalRows_rsConvicts = mysql_num_rows($rsConvicts);
In this case I dont get any results. I would really appreciate any suggestions . Thanks.
The situation: Searching a small database with PHP/MySQL with DW8.0.2
1. I have a form where users can enter a name (or a portion of a name) and select which col in the db the name relates to. It POSTs the results to a seperate page to look up and display the result. The 2 form fields are name and column.
2. I have created a simple test page whereby I place the POST values for the fields into 2 vars ($name and $column)
3. I created a simple recordset:
SELECT *
FROM table3
WHERE $column LIKE '%$name%'
ORDER BY FamilyName ASC
which works perfectly. The recordset code is:
mysql_select_db($database_connConvictsMySQL, $connConvictsMySQL);
$query_rsConvicts = "SELECT * FROM table3 WHERE $col LIKE '%$name%' ORDER BY FamilyName ASC";
$rsConvicts = mysql_query($query_rsConvicts, $connConvictsMySQL) or die(mysql_error());
$row_rsConvicts = mysql_fetch_assoc($rsConvicts);
$totalRows_rsConvicts = mysql_num_rows($rsConvicts);
4. So with that in mind I attempted to use the $_POST values directly in the recordset using the Add Varianbles section and removed the vars I mentioned in 2 above. I thought this would provide a more secure, elegant solution as the code created adds in all the extra security code. I finished up with a recordset SQL as:
SELECT *
FROM table3
WHERE column LIKE %name%
ORDER BY FamilyName ASC
and the record set code created is:
$name_rsConvicts = "-1";
if (isset($_POST['enteredName'])) {
$name_rsConvicts = (get_magic_quotes_gpc()) ? $_POST['enteredName'] : addslashes($_POST['enteredName']);
}
$column_rsConvicts = "-1";
if (isset($_POST['selectedColumn'])) {
$column_rsConvicts = (get_magic_quotes_gpc()) ? $_POST['selectedColumn'] : addslashes($_POST['selectedColumn']);
}
mysql_select_db($database_connConvictsMySQL, $connConvictsMySQL);
$query_rsConvicts = sprintf("SELECT * FROM table3 WHERE %s LIKE CONCAT('%%', %s, '%%') ORDER BY FamilyName ASC", GetSQLValueString($column_rsConvicts, "text"),GetSQLValueString($name_rsConvicts, "text"));
$rsConvicts = mysql_query($query_rsConvicts, $connConvictsMySQL) or die(mysql_error());
$row_rsConvicts = mysql_fetch_assoc($rsConvicts);
$totalRows_rsConvicts = mysql_num_rows($rsConvicts);
In this case I dont get any results. I would really appreciate any suggestions . Thanks.
AdChoices