ansaurus

Question

Answer 1

A:

First, be sure to close your select tag. ;) </select>

Second, what you'll probably want to do is include the select tag inside a <form> with method="post" and action="somepage.php".

Then when the user submits the form, they will be redirected to somepage.php. In your PHP code on somepage.php, you will have an array variable called $_POST which will have an entry called vote where you can see what element was selected in the select box. You can then use this information to change how somepage.php is processed.

Check out more information on using $_POST with forms here.

To then get that information in a database, you'll need to access the information in the $_POST variable and formulate your query string (beware of SQL injection!). Then send the query using mysql_query() as expected.

Ben Torell 2010-10-21 01:13:58

all the processing right, im just showing a snippet of my code, the only problem i have is when i select an option its not inserting into the database, where the coice filed is, i get an empty cell

getaway 2010-10-21 01:15:44

Answer 2

+3 A:

In addition to what Ben has already said, you want to drop the brackets from the name attribute.

<select name="vote">

When you go to retrieve the value, just use $_POST["vote"]. The use of square brackets is only if you intend to have multiple fields with the same name (i.e.: allowing the user to dynamically generate fields on the fly). You don't need to use it with dropdowns across the board.

EDIT

Also, as your resident PHP guru, I am contractually obligated to remind you to ALWAYS escape ANY data that is inserted into a SQL query. This means vigorously using mysql_real_escape_string() every time. Only you can prevent forest fires, VD, and god knows what else, but you can only do it if you're escaping your SQL parameters.

mattbasta 2010-10-21 01:17:39

Oop...seems Ben deleted his answer.

mattbasta 2010-10-21 01:17:59

I deleted it and then undeleted it. I realized after I answered that he probably knew everything I was already saying, which he confirmed. However, you are right - I don't see a need for the brackets.

Ben Torell 2010-10-21 01:19:10

cheers it works, thanks

getaway 2010-10-21 01:19:41

@ben thanks also, its my fault for showing a bit of the code, :)) cheers

getaway 2010-10-21 01:20:19

@getaway I hope my PSA was not for... naught...

mattbasta 2010-10-21 01:20:47

@mattbasa, what deos PSA mean lol

getaway 2010-10-21 01:21:48

I would just like to echo and emphasize what Matt is saying. NEVER EVER EVER trust the input from a web page, even if it is "controlled" input like a select box. ALWAYS sanitize it. Read up on SQL injection here: http://unixwiz.net/techtips/sql-injection.html

Ben Torell 2010-10-21 01:24:59

@getaway Public service announcement. Do what @Ben said. Be a good citizen and sanitize your inputs.

mattbasta 2010-10-21 03:28:23

Answer 3

A:

alt text

Use mysql_real_escape_string on your database inputs, or I'll use a HTML editor and change the value of one of those <option>s to '); DROP TABLE *; -- and hit submit.

You ought to read about SQL Injection so you know what you're up against here. I am sure there are other things to read apart from just the PHP guide on the matter, but I don't know of any in particular that I should link you to.

Axidos 2010-10-21 01:24:04

ansaurus

tags:

views:

answers:

html select php processing question?

related questions