I am trying to post the value chosen for a dropdown menu into my database table. But for some reason its not inputting the value into the database. I am trying to post cat_id into my database. So i use the code below to geenrate my dropdown list from values i alrady have in the database. Then below i have the function that inserts the info into the database. But for some reason its not working. I am suppose to put what is in select name="" right?
<select name="cat[<?=$row['pk_id']?>]">
<?php $cat = dbConnect("SELECT * FROM category");
if(empty($row['cat_id'])){
?>
<option value="">Select Category</option>
<?php
}
?>
<?php while($cat_r = mysql_fetch_array($cat)){
if($row['cat_id'] == $cat_r['cat_id']){
?>
<option value="<?=$cat_r[cat_id]?>" selected="selected"><?=stripslashes($cat_r[cat_name])?></option>
<?php
continue;
}
?>
<option value="<?=$cat_r[cat_id]?>"><?=stripslashes($cat_r[cat_name])?></option>
<?php } ?>
</select>
Here is my insert to MySQL
dbConnect("INSERT INTO post_info(add_to_random, show_home, source, display_vote_page, cat_id) values(1,1,1,0,cat[.$row['pk_id'].])");
Did i put something wrong here for the value for cat_id? I put cat[.$row[‘pk_id’].]) which is the select name="" for that dropdown list.
Code ported from comment:
if($_POST and $_POST['action'] == 'submit'){
foreach($_POST as $k=>$v){
$$k = $v;
}
foreach($cat as $k=>$v){
if($v =='') continue;
dbConnect("UPDATE twit_info set cat_id=" . $v . " where pk_id =". $k );
}
if(count($pkid)>0){
$pid = implode(',',$pkid);
dbConnect("UPDATE twit_info set add_to_vote = 1, display_vote_page = 1 where pk_id in(". $pid .")");
}
}
So in your
foreachloop, you are extracting all post keys into global variables via the variable variable$$k(I’ll get to this in a second). In yourdbConnect()call, the quoting is incorrect. You should concatenate in$cat.I have added a call to
mysql_real_escape_string(). This is necessary at a minimum, to protect all your queries from SQL injection. Your otherUPDATEstatements are also vulnerable at this point and you MUST perform some escaping on them as well.Regarding the extraction of
$_POSTinto global variables – I highly recommend against this. You are in effect imitating the behavior ofregister_globalswhich is considered very dangerous. The danger comes in that it is possible for anyone to post any key to your form, in addition to the ones you actually expect to receive, potentially initializing another variable in your script to a value sent via$_POSTwhen your script doesn’t expect it.Although I really just recommend operating on
$_POSTdirectly, rather than extracting to global variables, if you must extract them to globals, I advise you to use a whitelist of acceptable$_POSTkeys: