POST data to PHP code

ckoniecny · 03-02-2006, 12:12 PM

I have this HTML code:

Code:

html>
<body>
<form action="test.php" method="POST">
Search Department(s): <input type="text" name="Department" /><br>
<input type="submit" />
</form>
</body>
</html>

I'm trying to use the POST data in a SQL Query like the following:

Code:

$QUERY = 'SELECT * FROM CommExchange.Personnel_Information WHERE Department='$_POST["Department"]'';

But its not working. Is there something I'm missing?

pnellesen · 03-02-2006, 01:10 PM

I think for POST variables, you need single quotes for the index instead of double quotes, so maybe try '$_POST['Department']'?

xhi · 03-02-2006, 01:18 PM

Code:

$QUERY = 'SELECT * FROM CommExchange.Personnel_Information WHERE Department='$_POST["Department"]'';

use double quotes for the query string.. otherwise $_POST[..] is a literal value and not a variable..
so do this..

Code:

$QUERY = "SELECT * FROM table WHERE field='$_POST[department]'";

i believe that should work but cant test right now.. notice how the array id word Department does not need to be quoted when used in this manner..

Spudley · 03-02-2006, 01:30 PM

Firstly, pnellesen is incorrect; you can use single or double quotes in $_POST[] vars, just like any other array.

xhi is correct, in that you must use double-quotes around your string if you wish to include variable names in it to be translated.

However, that isn't the whole story. If you are embedding an array variable into a string like this, you must wrap it in curly braces, otherwise the PHP interpreter gets confused by the array variable syntax.

So your code would need to look like this:

PHP Code:


			
$query = "SELECT * FROM table WHERE field='{$_POST[department]}'";

One other thing I would add: Please also be very careful when putting a post variable directly into a SQL query -- you may be opening yourself up to a potential security problem, called an "SQL injection attack", where malicious posters could manipulate your SQL string and hack your database.

Hope you get everything working

All the best.

msound · 03-02-2006, 01:31 PM

I would use:

PHP Code:


			
$QUERY = 'SELECT * FROM CommExchange.Personnel_Information WHERE Department=\'' . $_POST[Department] . '\'';

xhi · 03-02-2006, 09:23 PM

Quote:

However, that isn't the whole story. If you are embedding an array variable into a string like this, you must wrap it in curly braces, otherwise the PHP interpreter gets confused by the array variable syntax.

i have never ran into having to use the curly braces. is that somthing new? or maybe i have just never ran into it because i dont usually assign the post data to another variable..
ex..

Code:

$forumQ = mysql_query("SELECT * FROM forums WHERE id=$_POST[fid]");

mfrick · 03-02-2006, 10:48 PM

Quote:

Originally Posted by Spudley

Firstly, pnellesen is incorrect; you can use single or double quotes in $_POST[] vars, just like any other array.

xhi is correct, in that you must use double-quotes around your string if you wish to include variable names in it to be translated.

However, that isn't the whole story. If you are embedding an array variable into a string like this, you must wrap it in curly braces, otherwise the PHP interpreter gets confused by the array variable syntax.

Cheers for that (although I wasn't asking the question) as I had always broken the string up like the post below yours eg "start string".theArray[element]."end string" but I do very much like the {} solution.