Input from user form into the sql, I don't get it

tredjejuni

What's wrong with this searchform?
I'm trying to use user input.
db connection and sql are working, my problem is to put the user input into the sql?

<?php

if (isset($_POST['submitted'])) {

include('connect.php');

$searchword = $_POST['screwtype'];
$query = "SELECT * FROM 'Inventory' WHERE 'screwtype' = '$searchword'";
$result = mysql_query($db, $query) or die('error getting data');
	// display result
	while($row = mysqli_fetch_array($result)){
	echo $row;
	echo "<br />";
	} // end of while-loop

} //end of main if statement
?>
</body>
</html>

Please help me figure out what's wrong😕😕😕

Weedpacket

First problem: please use the formatting markup tags described in the FAQs to mark up your code for readability.
Second problem: you're submitting one form field named "fornamn", but you're looking in the submission for form fields named "submitted" and "screwtype".
Third problem: you don't check whether the string you're embedding in your query is legitimate.

tredjejuni

ok, on first problem, it is the first time I post in this forum, sorry
second problem, mistake from me, I forgot to change
third problem, for the moment I am assuming the user input is valid. For the moment I am more worried about why it is not working?

Here it is again and I hope it is readable..

<html>
<head>
</head>
<body>

<form method="post" action="lena2.php" >
<INPUT type="text" name="screwtype" />
<br><INPUT type="submit" value="Start"/>
</form>

<?php

if (isset($_POST['submitted'])) {

include('connect.php');

$searchword = $_POST['screwtype'];
$query = "SELECT * FROM 'Inventory' WHERE 'screwtype' = '$searchword'";
$result = mysql_query($db, $query) or die('error getting data');
// display result
while($row = mysqli_fetch_array($result)){
echo $row;
echo "<br />";
} // end of while-loop
} //end of main if statement
?>
</body>
</html>

bradgrafelman

tredjejuni;11009517 wrote:
For the moment I am more worried about why it is not working?

One reason could be that you're making very dangerous assumptions, such as:

tredjejuni;11009517 wrote:
I am assuming the user input is valid.

Another reason would be that you're still checking for a form element named 'submitted' in your PHP code while no such field exists in the HTML you've shown us.

tredjejuni

Ok , thank you for your feedback but it doesn't help me :-(

My question is why the form does not work with the expected user input? In my world, that is step one, step two would be, amongst other things, validating user input. But I can't spend hours on validation of user input if I in the end can't use the solution at all!!

As for the 'submitted' thing, what should I use then?

Look, php is not my language, but I need it for the form. What shall I do? I'm trying as hard as I can but I am not a professional programmer.

bradgrafelman

tredjejuni;11009607 wrote:
My question is why the form does not work with the expected user input?

And that's the same question that I answered above.

You talk about validation as if it has to be some afterthought, but note that if your "expected user input" happens to include a single quote, your SQL query will become broken simply because you didn't validate/sanitize the user input.

tredjejuni;11009607 wrote:
As for the 'submitted' thing, what should I use then?

Whatever you want, but preferrably something that makes sense. Take a look at your form:

<form method="post" action="lena2.php" >
<INPUT type="text" name="screwtype" />
<br><INPUT type="submit" value="Start"/>
</form>

Notice there's really only one form element being POST'ed there, and it has a name of 'screwtype'. Now take a look at your PHP code:

<?php

if (isset($_POST['submitted'])) {

// form processing code here..

} //end of main if statement
?>

In other words, your processing code will only run if an element named 'submitted' exists. Notice a problem?

You either need to create an element named 'submitted' (or perhaps give that name to your submit button), or else check for the data that you actually expect to be there and need to use (e.g. 'screwtype').

Couple of other issues I notice now that I take a closer look at your latest code:

Identifiers in SQL queries (names of databases, columns, views, etc.) should not be surrounded with single quotes. Strings are to be surrounded with single quotes. For the former, either don't use any delimiter at all, or use one that is appropriate for identifiers (usually the backtick on MySQL). You have this problem in two places in your SQL query.
You're mixing functions from the [man]mysql[/man] extension with those from the [man]MySQLi[/man] extension. You can't do this - stick with one or the other (preferably the later, since the former is outdated and officially deprecated). See the manual page [man]mysqlinfo.api.choosing[/man] for more information about the different MySQL extensions (including some code examples for each).

johanafm

edit: nvm. sloppy reading