insert value of html select form into mysql database

Question

I want to insert the value of a selected 'select form' into my mysql database.

How can i get the right value of this?

<form action='' method='post'>
 <select name="myselectbox">
  <option name="myoption1" value="myoption1">myoption1</option>
  <option name="myoption2" value="myoption2">myoption2</option>
  <option name="myoption3" value="myoption3">myoption3</option>
  <option name="myoption4" value="myoption4">myoption4</option>
 </select>
<input type='submit' value='submit'/>
</form>

something like that? (this one didn't work obviously..)

$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')";

Answer 1

you have to wrap your select tag into a form tag .

<form action='' method='post'>
<select name="myselectbox">
   <option name="myoption1" value="myoption1">myoption1</option>
   <option name="myoption2" value="myoption2">myoption2</option>
   <option name="myoption3" value="myoption3">myoption3</option>
   <option name="myoption4" value="myoption4">myoption4</option>
</select>
<input type='submit' value='submit'/>
</form>

once you submit the form, you will get the post variable as $_POST['myselectbox'] that could be appended into a mysql query as you have already did. but for a better way dont just append it like that but check the form is submitted and post variables are available or not before appending. eg:

if(!empty($_POST['myselectbox'])){
    /*.. do your query section... */
}

Answer 2

you have error in your SQL command, $_POST needs html names to be wrapped in quotes like => $_POST['some_name'] :

$sql = "INSERT INTO Entries (myoption1) VALUES ('$_POST[myselectbox]')"; /* ^^ missing quotes here*/

try it this way :

$sql = "INSERT INTO Entries (myoption1) VALUES (".$_POST['myselectbox'].")";

Answer 3

Assuming that your form is correct and it is posting the values that you want to your script.

(You have sprinkled your code with echo to ensure this is the case?)

The simplest reliable way of sending the data into a SQL statement and therefore into mysql is to use prepared statements.

Take a look here: http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

Basically you write the SQL statement without your variables in it (replaced with ?) and then tell mysql to execute the statements with your variables later. It avoids the need to escape strings and worry about how to build things up.

As an example, you might have:

// Connect to mysql

$mysqli = new mysqli('where your server is', 'my_user', 'my_password', 'world');

// Build the initial statement - easier to read as you don't have your string concatenation here

$stmt = $mysqli->prepare( "INSERT INTO Entries (myoption1) VALUES (?)" );

// Tell mysql that the '?' should be replaced with the value in your post array

$stmt->bind_param( "s", $POST['myselectbox'] );

// Execute the statement

$stmt->execute()

Obviously you should add error handling too, but the documentation covers the basics of this.

SQL Injection

The main reason why the use of prepared statements is a good idea is that it avoids SQL injection attacks.

There are other ways round, but in my mind this is the simplest solution.

SQL Injection attacks are situations where someone attempts to change the SQL statement that is being run by "injecting" other SQL into your statement.

Using your code as an example, you may execute this statement:

$sql = "INSERT INTO Entries (myoption1) VALUES ('". $_POST['myselectbox'] ."')";

Which would normally receive (let's suggest) something like myoption1.

This would result in the SQL being:

INSERT INTO Entries (myoption1) VALUES ('myoption1');

If someone decided to, they could send '='' OR '1'='1

This would result in the SQL being:

INSERT INTO Entries (myoption1) VALUES (''='' OR '1'='1');

Which is (obviously) very different.

Or, even worse send '=')'; DROP TABLE Entries WHERE (''='

This would result in the SQL being:

INSERT INTO Entries (myoption1) VALUES (''=''); DROP TABLE Entries WHERE (''='');

Use Prepared Statements

Simply put, but using prepared statements, you are telling mysql that what you are sending is a literal string to be used as a parameter. It can never be regarded as part of the statement itself and therefore the above is simply not possible.

Much much safer.

I hope that makes it clearer. If you want more info I suggest you research it independently...