mysql – html select php processing question? – Education Career Blog

i have this select box that users can use to choose an option, but im stuck on how i can process it with php and insert the value in mysql:

<select name="vote">
  <option value="support">I support this</option>
  <option value="against">Im against this</option>
  <option value="dont">I want the audience to decide!</option>

$insert=mysql_query("INSERT INTO topic (topic, founder, choice, date) VALUES('".$course."', '".$user_id."', '".$_POST'vote'."',NOW())");

,

In addition to what Ben has already said, you want to drop the brackets from the name attribute.

<select name="vote">

When you go to retrieve the value, just use $_POST"vote". The use of square brackets is only if you intend to have multiple fields with the same name (i.e.: allowing the user to dynamically generate fields on the fly). You don’t need to use it with dropdowns across the board.

EDIT

Also, as your resident PHP guru, I am contractually obligated to remind you to ALWAYS escape ANY data that is inserted into a SQL query. This means vigorously using mysql_real_escape_string() every time. Only you can prevent forest fires, VD, and god knows what else, but you can only do it if you’re escaping your SQL parameters.

,

First, be sure to close your select tag. 😉 </select>

Second, what you’ll probably want to do is include the select tag inside a <form> with method="post" and action="somepage.php".

Then when the user submits the form, they will be redirected to somepage.php. In your PHP code on somepage.php, you will have an array variable called $_POST which will have an entry called vote where you can see what element was selected in the select box. You can then use this information to change how somepage.php is processed.

Check out more information on using $_POST with forms here.

To then get that information in a database, you’ll need to access the information in the $_POST variable and formulate your query string (beware of SQL injection!). Then send the query using mysql_query() as expected.

,

alt text

Use mysql_real_escape_string on your database inputs, or I’ll use a HTML editor and change the value of one of those <option>s to '); DROP TABLE *; -- and hit submit.

You ought to read about SQL Injection so you know what you’re up against here. I am sure there are other things to read apart from just the PHP guide on the matter, but I don’t know of any in particular that I should link you to.

Leave a Comment