Advanced Search

Results 1 to 10 of 10

Thread: Use submitted data to create a table in PHP from SQL

  1. #1
    Join Date
    May 2007
    Location
    England, UK
    Posts
    235
    Thanks
    3
    Thanked 6 Times in 6 Posts

    Question Use submitted data to create a table in PHP from SQL

    Hi I am very new to PHP and need some help.

    I have created a form, from which I am able to submit a value, how do I use that value to display entries to my SQL database.

    The code i'm using is:

    The place where I want to use that value is WHERE county='THISBIT'"

    PHP Code:
    <?php 
    $data 
    mysql_query("SELECT * 
    FROM mydatabase 
    WHERE county='this is the bit i want to change using the form'"

    or die(
    mysql_error()); 
    print 
    "
    <table border cellpadding=3>
    <tr>
    <td width=100>Type:</td>
    <td width=100>Name:</td>
    <td width=100>Address:</td>
    <td width=100>Telephone:</td>
    </tr>"


    while(
    $info mysql_fetch_array$data )) 
        { 
        print 
    "<tr>"
        print 
    "<td>" $info['Type'] . "</td>";
        print 
    "<td>" $info['name'] . "</td>";
        print 
    "<td>" $info['Address'] . "</td>";
        print 
    "<td>" $info['Telephone'] . "</td>";
        print 
    "</tr>"
        } 
        print 
    "</table>"
    ?>
    Hope this makes sense,
    Thanks!

  2. #2
    Join Date
    Jul 2006
    Location
    just north of Boston, MA
    Posts
    1,806
    Thanks
    13
    Thanked 72 Times in 72 Posts

    Default

    1. I assumed that you first connect to the database
    2. then you need to have a "county" record in your "mydatase" table.
    3. then its just a matter of setting the county to whatever you are trying to evaluate, assuming that is taken from the user you could use something like.

    PHP Code:
    $county trim(htmlspecialchars($_POST['county']));

    ....
    connect to database....
    mysql_query("SELECT * FROM 'mydatabase' WHERE county='$county'"
      or die(
    "The "mysql_error() . " error occured, and the query couldn't be performed"); 
    making 2 assumptions, 1 = your form method is "post" and your form = "county"
    if your form method is "get use $_GET[] and you can just rename the "county" inside if thats different as well

    trim(htmlspecialchars(
    you should not trust user data directly from the user.

  3. #3
    Join Date
    May 2007
    Location
    England, UK
    Posts
    235
    Thanks
    3
    Thanked 6 Times in 6 Posts

    Default

    Works a treat!

    Thanks!

  4. #4
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by boogyman View Post
    PHP Code:
    $county trim(htmlspecialchars($_POST['county'])); 
    you should not trust user data directly from the user.
    Quite true, but the above is not the way to go about providing protection. Always use the database-specific escaping function before building a query from user input. This will account for any syntactic quirks that may be present. For MySQL, this is the mysql_real_escape_string or mysqli_real_escape_string functions, or real_escape_string method (depending upon the extension used).
    Mike

  5. #5
    Join Date
    Jul 2006
    Location
    just north of Boston, MA
    Posts
    1,806
    Thanks
    13
    Thanked 72 Times in 72 Posts

    Default

    what is the problem with doing it how I had it?

  6. #6
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by boogyman View Post
    what is the problem with doing it how I had it?
    The point of escaping values before inserting them into queries is to prevent injection attacks (intentional or otherwise). This requires escaping characters that are special in SQL. However, the htmlspecialchars function is designed to convert characters that are special to HTML into entity or character references. That isn't the same thing. Furthermore, comparing an entity reference of a character with the character itself clearly won't result in equality, therefore queries that should succeed may actually fail.
    Mike

  7. #7
    Join Date
    May 2007
    Location
    England, UK
    Posts
    235
    Thanks
    3
    Thanked 6 Times in 6 Posts

    Default

    Do I still need to use this method if the user input is coming from a select option?
    HTML Code:
    <form action="mypage.php" method="post">
        <select name="county">
            <option value="option1">option1</option>
            <option value="option2">option2</option>
        </select>
    <input type="submit" value="Submit" />
    </form>

  8. #8
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by jc_gmk View Post
    Do I still need to use this method if the user input is coming from a select option?
    Absolutely. Never trust anything that originates from the client. A form can be edited before submission to corrupt the values of fields that you might otherwise consider read-only.

    There is nothing wrong with paranoia when it comes to server-side security. Whilst you might not be a direct target of malicious users, it doesn't hurt to be cautious and applying good security practices should become second nature.
    Mike

  9. #9
    Join Date
    Jul 2006
    Location
    just north of Boston, MA
    Posts
    1,806
    Thanks
    13
    Thanked 72 Times in 72 Posts

    Default

    Quote Originally Posted by mwinter View Post
    The point of escaping values before inserting them into queries is to prevent injection attacks (intentional or otherwise). This requires escaping characters that are special in SQL. However, the htmlspecialchars function is designed to convert characters that are special to HTML into entity or character references.
    That is why I told him to sanitize it, so he didn't have the injection problem; wouldn't you still need to sanitize the html content though? or do those functions provide that support?


    Quote Originally Posted by mwinter View Post
    Absolutely. Never trust anything that originates from the client. A form can be edited before submission to corrupt the values of fields that you might otherwise consider read-only.
    ABSOLUTELY! someone with mal-intent could create a form on their own system but instead of using your "select" values they would input something else in place that would attempt to compromise your server.

    Quote Originally Posted by mwinter View Post
    There is nothing wrong with paranoia when it comes to server-side security. Whilst you might not be a direct target of malicious users, it doesn't hurt to be cautious and applying good security practices should become second nature.
    often times it is users that have good intention that will break the system, and even if he/she didnt mean to do damage this person could.

    Hosts, usually provide some type of security themselves as it is their physical
    machine, however the extent of the security, is never something to rely on. If you do your own sanitation at the very most, they will have adequate security themselves, and the content would be sanitized twice; dont have security even ONCE say good bye to your website, and probably the server thats hosting it.

  10. #10
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by boogyman View Post
    That is why I told him to sanitize it, so he didn't have the injection problem; wouldn't you still need to sanitize the html content though? or do those functions provide that support?
    You'd sanitise HTML content when outputting it. Here, the OP is dealing with input.

    If, for example, the OP was to take data from the database to display in a response, that would be a good time to run it through the htmlspecialchars function if the data could contain special characters, especially quotes (single ['] and double ["]), less-than symbols (<), and ampersands (&).
    Mike

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •