• 0

PHP select


Question

I have dropdown populated from mysql and now I want to add ID of selected value into other table, it doesn't get the ID.

here's the code I have

if (isset($_REQUEST['subcat']))
{
$id_main = $_GET['categoriesID'];
$DB-> Query('INSERT INTO subcat(id_main_cat,name_subcat) VALUES ("'.$id_main.'","'.$newSub.'")');
}
?>
<br />
		<?php
		$result = mysql_query("SELECT id,name_cat FROM category") 
                                or die(mysql_error());   
			echo "Pick main:";
			echo "<select name='categoriesID'>";
             //reads from table 'categories'
             while($row = mysql_fetch_array( $result )) {
             // display them in dropdown
			 echo '<option value="'.$row['id'].'">';
             echo $row['id'],$row['name_cat'] . '</option>'."\n";
                                } 
                                echo "</select><br />";
			$_POST['categoriesID'];

		?>
<form method="post" action="">
<b>Add new:</b>
<input type="text" name="newSubCat">
<input type="submit" name="addSubCat" value="Add">
</form>

Table is populated only with $newSub but not with $id_main...

Link to comment
Share on other sites

3 answers to this question

Recommended Posts

  • 0

And sanitise your input, you're passing $id_main directly into your MySQL query without checking the contents (So you could append your own SQL queries to it and run them)

Link to comment
Share on other sites

  • 0

Or he could use parameterized queries.

http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html

Main points:

  • Fewer string concatenations
  • No need to worry about any kind of manual string escaping
  • A more generic query form is presented to db, so it's likely already hashed and stored as a pre-compiled execution plan
  • Smaller strings are sent across the wire

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.