PDA

View Full Version : <select> problem

error_22
02-28-2006, 05:42 PM
<form action="new_isy.php" method="POST">
First name:<br>
<input type="text" name="fname"><br>
Last name:<br>
<input type="text" name="lname"><br>
Email:<br>
<input type="text" name="email"><br>
Head<br>
<input type="text" name="head"><br>
Message<br>
<textarea name="message" cols="30" rows="8"></textarea><br>
<select name="category">
<option>option1</option>
<option>option2</option>
<option>option3</option>
<option>option4</option>
</select><br><br>
<input type="submit" value="Send"></form>


new_isy.php:

$date = date("Y-m-d H:i:s");
$sql = "INSERT INTO `ads`
(
`fname`,
`lname`,
`email`,
`head`,
`message`,
`category`,
`date`
)
VALUES (
'{$_POST['fname']}',
'{$_POST['lname']}',
'{$_POST['email']}',
'{$_POST['head']}',
'{$_POST['message']}',
'{$_POST['category']}',
'$date'
)";

mysql_query($sql) or die("SQL: $sql ".mysql_error());

// ##### Back to main page #####
header ("Location: index.php");
exit;

Ok so i want option1/option2/option3/option4 to be saved in the field called "category". The point is that people can choose a category and that category should be saves in the db. What am i doing wrong?

Thanks in advance
Niklas
filburt1
02-28-2006, 05:44 PM
Give each option a "value" attribute.

Also, perish the thought of using raw user data in queries. Escape it always.
error_22
02-28-2006, 05:57 PM
<form action="new_isy.php" method="POST">
First name:<br>
<input type="text" name="fname"><br>
Last name:<br>
<input type="text" name="lname"><br>
Email:<br>
<input type="text" name="email"><br>
Head<br>
<input type="text" name="head"><br>
Message<br>
<textarea name="message" cols="30" rows="8"></textarea><br>
<select name="category">
<option value="option1">option1</option>
<option value="option2">option2</option>
<option value="option3">option3</option>
<option value="option4">option4</option>
</select><br><br>
<input type="submit" value="Send"></form>


Like that you mean? its still not working

And what do you mean by "raw user data in queries"?

Thanks
error_22
03-06-2006, 07:28 PM
anyone?
Princeton
03-06-2006, 08:39 PM
And what do you mean by "raw user data in queries"?
what he means is that you should make sure that all data is checked/cleaned before saving it into the database

(security risk)
error_22
03-06-2006, 09:08 PM
what he means is that you should make sure that all data is checked/cleaned before saving it into the database

(security risk)

and how do i do that?
error_22
03-21-2006, 04:16 PM
bump
Xenon
03-21-2006, 09:40 PM
take a look into a general vb-file, especially how they user $vbulletin->gpc and these parts of code :)
error_22
03-23-2006, 09:02 AM
hmmm how would that string of code help me when I have no idea what any of you are talking about? I think you have forgotten what its like to not understand ;)
Xenon
03-23-2006, 08:00 PM
well, sorry but we can't teach you coding by posting on this forum.

we can just give you examples of how good code looks like, and i said, you should take any vb-file as an example, and will see that nowhere a $_POST is entered directly into the db, but all results are sanitized by the $vbulletin->gpc_cleaner
error_22
03-25-2006, 12:49 PM
Thanks for taking the time to answer.