Putting variable into table's name??? Please take a look.

[dwex]

I have a dropdown menu

 

<td width="148" height="35" valign="top"><b>Type: </b> </td>	
            <td><select name ="tabledrop">
			<option value="goggles">goggles</option>
			<option value="headbands">headbands</option>
			 <input type='hidden' id='tabledrop' name='tabledrop' value = ''/>
			</select>
			</td>

 

those 2 options are actually names of my tables.

 

---

 

I tried this and got some syntax error.

 

$type = $_POST['tabledrop'];
$item = $_POST['goggles_name'];
$price = $_POST['goggles_price'];
$file = $_FILES['goggles_image']['name'];

$query = "INSERT into $type SET [$type]_name = '$item' , [$type]_price = '$price' , [$type]_image = '$file'";

[ManiacDan]

Don't ever do this like this.  Don't let your users directly determine your database inserts.  What if someone altered these POST values so that they were granting themselves permissions on your database?  What if they made 'tabledrop' into "mysql.users (username, password) VALUES ('haha', 'hackedYou');#"

 

Always ALWAYS sanitize user input.  For this operation, that means ensuring that the table name is part of the valid list of table names, and running EVERYTHING through mysql_real_escape_string.

 

Also, your answer is that [] is not the right way to surround variables inside strings, you want {}

 

-Dan

[kenrbnsn]

Always give the complete error message, instead of "some syntax error".

 

You also have an error in your form, the "hidden" field should be outside the "<select>" definition.

 

Ken

[dwex]

ahha yeah , it's actually for the admin but i'll note of that.

 

I tried

 

$query = "INSERT into $type SET {$type}_name = '$item' , {$type}_price = '$price' , {$type}_image = '$file'";

 

Got this though

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SET _name = 'wx' , _price = 'de' , _image = 'a7x.jpg'' at line 1

[kenrbnsn]

The value of $type is "" at the point where it's being used.

 

Do you validate that you're getting the correct information from your form?

 

Ken

[dwex]

Yeah , I think my tabledrop is not passed to the next form.

 

Is there something wrong with this?

 

<td><select name ="tabledrop">
			<option value="goggles">goggles</option>
			<option value="headbands">headbands</option>
</select>
<input type='hidden' id="tabledrop" name="tabledrop" value = ""/>

 

the upload page

 

$type = $_POST['tabledrop'];

 

[Pikachu2000]

Why do you have two fields in a form with the same name attribute?

[dwex]

oh mine , that was real noobish.

 

Thanks alot for your help! It worked!

You're really good at this.

 

 

[ManiacDan]

Going back a bit:

ahha yeah , it's actually for the admin but i'll note of that.

That doesn't mean someone can't get access to it.  Are you absolutely certain nobody else can break into this page?  Your site security should be complete, through every layer of the site, not just at the edges or the easiest entry points.

 

Glad you got the rest of it sorted.

 

-Dan