Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

query where parameter from php/html form

0 views
Skip to first unread message

Scott_Brasted via SQLMonster.com

unread,
Dec 23, 2009, 8:24:16 PM12/23/09
to
Greetings,

I am trying to use a php/html form to supply a parameter to a sql query where
clause. Is this possible? I have searched over and over again and I cannot
find any references to it. Just shows how much I have to learn about searches
I guess.

I have discovered a reference to it on the w3c schools site that describes
this process for inserting rows. I have tried to modify it to do what I want
to no avail.

My form:
<form action="query.php" method="post">
Service Date: <input type="date" name="ChurchDate" />
<input type="submit" />
</form>

The code as modified by me:
$sql="SELECT tblChurchDate.ChurchDate, tblFunction.Function, tblPeople.Name
FROM tblChurchDate INNER JOIN ((tblChurchDateFunctionPeople INNER JOIN
tblFunction ON tblChurchDateFunctionPeople.fkFunctionID = tblFunction.
FunctionID) INNER JOIN tblPeople ON tblChurchDateFunctionPeople.fkPeopleID =
tblPeople.PeopleID) ON tblChurchDate.ChurchDateID =
tblChurchDateFunctionPeople.fkChurchDateID
ORDER BY tblChurchDate.ChurchDate, tblFunction.FunctionID

VALUES
('$_POST[ChurchDate]')";

I am using mySQL 5.1 and php 5.2.9

Thanks,
Scott

--
Message posted via SQLMonster.com
http://www.sqlmonster.com/Uwe/Forums.aspx/sql-server-programming/200912/1

Plamen Ratchev

unread,
Dec 23, 2009, 9:06:11 PM12/23/09
to
This is SQL Server related forum. It will be best to post your question to MySQL or PHP forum where you can get better
response.

Just a guess, seems you want to use the posted value in the WHERE clause of the query:

$sql = "SELECT tblChurchDate.ChurchDate,


tblFunction.Function,
tblPeople.Name
FROM tblChurchDate
INNER JOIN ((tblChurchDateFunctionPeople
INNER JOIN tblFunction
ON tblChurchDateFunctionPeople.fkFunctionID = tblFunction.FunctionID)
INNER JOIN tblPeople
ON tblChurchDateFunctionPeople.fkPeopleID = tblPeople.PeopleID)
ON tblChurchDate.ChurchDateID = tblChurchDateFunctionPeople.fkChurchDateID

WHERE tblChurchDate.ChurchDate = '$_POST[ChurchDate]'
ORDER BY tblChurchDate.ChurchDate, tblFunction.FunctionID";

Again, I am really not sure if this is the correct syntax. Also, seems this not really parameterizing the query but
rather directly injecting the value into the SQL string. This is very bad practice that exposes the application to SQL
Injection. A quick search shows there are some PHP libraries that can parameterize queries, one example here:
http://www.phpinsider.com/php/code/SafeSQL/

--
Plamen Ratchev
http://www.SQLStudio.com

Scott_Brasted via SQLMonster.com

unread,
Dec 23, 2009, 10:38:38 PM12/23/09
to
Thanks for the reply. I am reading about injections and I have powsted in the
Sun mySQL forum.

Best,
Scott

--

0 new messages