Posting dropdown value to database
-
Hello. First of all, i want to apologize for my question, since the code im about to post is way outdated. I am hosting this script on a server which is running a very old version of php. The website is used by me and 2 other friends, and we are the only ones able to connect to it, due to .htaccess only showing the page to recognized ip adresses.. So there is no need to protect against sql injection or anything. Now that thats out of the way, here is the problem i am facing: i have a php script, which is showing a dropdown menu, with values gathered from a mysql table called chat_clothes. I then have a submit button, that is supposed to post whatever you have chosen in the dropdown menu, to another table called chat_brugere But when i click the submit button, it posts "Resource id #7", instead of the selected value. Here is my code:
Garderobe
Skid i havet.
'.$showSko['navn'].''
;
}
}
?>'; ?>If the user can have any influence over the
bruggernavnoridsession variables, or the content of thenavncolumn, then your queries will be vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. PHP: SQL Injection - Manual[^] If they can influence thenavncolumn, there's also a danger of a persisted cross-site scripting vulnerability, since you don't properly encode the output. Cross Site Scripting (XSS) | OWASP[^] Beyond that, you're setting theshoescolumn to the$getSkovariable, which is the object returned by yourmysql_querycall. I suspect you wanted to set it to the$_POST['sko']value instead.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
If the user can have any influence over the
bruggernavnoridsession variables, or the content of thenavncolumn, then your queries will be vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. PHP: SQL Injection - Manual[^] If they can influence thenavncolumn, there's also a danger of a persisted cross-site scripting vulnerability, since you don't properly encode the output. Cross Site Scripting (XSS) | OWASP[^] Beyond that, you're setting theshoescolumn to the$getSkovariable, which is the object returned by yourmysql_querycall. I suspect you wanted to set it to the$_POST['sko']value instead.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
You are correct. Should it be
mysql_query("UPDATE chat_brugere SET shoes='".$_POST['sko']."' WHERE id='".$_SESSION['id']."'");
instead of
mysql\_query("UPDATE chat\_brugere SET shoes='".$getSko."' WHERE id='".$\_SESSION\['id'\]."'");? Cause then it just posts the button value which is "Opdater!"
-
You are correct. Should it be
mysql_query("UPDATE chat_brugere SET shoes='".$_POST['sko']."' WHERE id='".$_SESSION['id']."'");
instead of
mysql\_query("UPDATE chat\_brugere SET shoes='".$getSko."' WHERE id='".$\_SESSION\['id'\]."'");? Cause then it just posts the button value which is "Opdater!"
You'd need to move the
<select>inside the<form>element, and use a differentnamefor the button. But don't ignore the SQL Injection[^] vulnerability. It's a critical security vulnerability, which is so simple to exploit that even a 3 year old can exploit it[^]. It can be used to extract private data from your database, which can lead to massive fines[^]. Or it can be used to alter data in your database without your knowledge, which could have disastrous results. PHP: SQL Injection - Manual[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
You'd need to move the
<select>inside the<form>element, and use a differentnamefor the button. But don't ignore the SQL Injection[^] vulnerability. It's a critical security vulnerability, which is so simple to exploit that even a 3 year old can exploit it[^]. It can be used to extract private data from your database, which can lead to massive fines[^]. Or it can be used to alter data in your database without your knowledge, which could have disastrous results. PHP: SQL Injection - Manual[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
Thank you so much for your help.. I'm not worried about sql injection, cause its only me and 2 other people who has access to the site, since its protected through .htaccess, and will remain that way.. there is no sensitive information on the server either way :) I tried to move the select tag into the form, but now, the results from the database is shown outside the dropdown menu I have changed the name of the button to something else, and now, nothing is posted to the database when i hit the submit button.. Would you be willing to edit the script and post it here, if its not too big of a deal? i feel like i would understand the errors better, if i could compare the 2 codes, and see where i messed up
-
Thank you so much for your help.. I'm not worried about sql injection, cause its only me and 2 other people who has access to the site, since its protected through .htaccess, and will remain that way.. there is no sensitive information on the server either way :) I tried to move the select tag into the form, but now, the results from the database is shown outside the dropdown menu I have changed the name of the button to something else, and now, nothing is posted to the database when i hit the submit button.. Would you be willing to edit the script and post it here, if its not too big of a deal? i feel like i would understand the errors better, if i could compare the 2 codes, and see where i messed up
Something like this should work:
<?php
@session_start();
header('Content-Type: text/html; charset=ISO-8859-1');
include('includes/config.php');
?>
<link rel="stylesheet" type="text/css" href="css/chat.css" />
<div id="sidebar_header">Garderobe</div>
<div id="sidebar_content">
<form action="nygad.php" method="POST">
<p style="display: inline;">Skid i havet.</p><br /><br />
<select name="sko">
<?php
if(isset($_SESSION['logget_ind']) && $_SESSION['logget_ind'] == true) {
$brugernavn = mysql_real_escape_string($_SESSION['brugernavn']);
$getSko = mysql_query("SELECT `navn` FROM `chat_clothes` WHERE `ejer` = '$brugernavn' AND `type` = 'sko'");
while ($showSko = mysql_fetch_array($getSko)) {
$navn = htmlentities($showSko['navn']);
echo "<option value=\"$navn\">$navn</option><br />";
}
}
?>
</select>
<?php
if (isset($_POST['sko'])) {
$shoes = mysql_real_escape_string($_POST['sko']);
$id = mysql_real_escape_string($_SESSION['id']);
mysql_query("UPDATE chat_brugere SET shoes='$shoes' WHERE id='$id'");
echo 'sko er opdateret!';
}
?>
<p style="text-align:center;">
<input type="submit" name="btn" value="Opdater!" />
</p>
</form>
</div> <!-- sidebar_content -->
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Something like this should work:
<?php
@session_start();
header('Content-Type: text/html; charset=ISO-8859-1');
include('includes/config.php');
?>
<link rel="stylesheet" type="text/css" href="css/chat.css" />
<div id="sidebar_header">Garderobe</div>
<div id="sidebar_content">
<form action="nygad.php" method="POST">
<p style="display: inline;">Skid i havet.</p><br /><br />
<select name="sko">
<?php
if(isset($_SESSION['logget_ind']) && $_SESSION['logget_ind'] == true) {
$brugernavn = mysql_real_escape_string($_SESSION['brugernavn']);
$getSko = mysql_query("SELECT `navn` FROM `chat_clothes` WHERE `ejer` = '$brugernavn' AND `type` = 'sko'");
while ($showSko = mysql_fetch_array($getSko)) {
$navn = htmlentities($showSko['navn']);
echo "<option value=\"$navn\">$navn</option><br />";
}
}
?>
</select>
<?php
if (isset($_POST['sko'])) {
$shoes = mysql_real_escape_string($_POST['sko']);
$id = mysql_real_escape_string($_SESSION['id']);
mysql_query("UPDATE chat_brugere SET shoes='$shoes' WHERE id='$id'");
echo 'sko er opdateret!';
}
?>
<p style="text-align:center;">
<input type="submit" name="btn" value="Opdater!" />
</p>
</form>
</div> <!-- sidebar_content -->
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
I tried the new script, and now it looks like it wants to post the selected value, but the problem now, is that none of the values from chat_clothes are appearing in the dropdown menu.. its just blank (even though i'm logged in as before) This is the script in the browser: [^] And this is the table chat_clothes: chat-clothes — ImgBB[^]
-
I tried the new script, and now it looks like it wants to post the selected value, but the problem now, is that none of the values from chat_clothes are appearing in the dropdown menu.. its just blank (even though i'm logged in as before) This is the script in the browser: [^] And this is the table chat_clothes: chat-clothes — ImgBB[^]
Check the the session variable
logget_indis set, and the value is equal totrue. Also check that the session variablebrugernavnis set, and matches one of theejervalues from your table.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Check the the session variable
logget_indis set, and the value is equal totrue. Also check that the session variablebrugernavnis set, and matches one of theejervalues from your table.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
OH MY GOD!! IT WORKS NOW!! :D:D I found the reason why it did not show the value in the dropdown menu.. The reason is that the value in the column in the table where it was searching for values, was "Røde Converse".. after i changed it to "Rode Converse", it now shows up.. So it was simply because the value contained a Ø (which is a letter in my language), and not anything wrong with the code you posted. Anyways, the script is working perfect now, after you fixed it.. Thank you SO much for your help.. This has been very enlightning for me.. before posting my question here, i tried posting about my problem at stackoverflow, and they just inactivated my question, since the code is outdated.. Thanks man! :D
-
Something like this should work:
<?php
@session_start();
header('Content-Type: text/html; charset=ISO-8859-1');
include('includes/config.php');
?>
<link rel="stylesheet" type="text/css" href="css/chat.css" />
<div id="sidebar_header">Garderobe</div>
<div id="sidebar_content">
<form action="nygad.php" method="POST">
<p style="display: inline;">Skid i havet.</p><br /><br />
<select name="sko">
<?php
if(isset($_SESSION['logget_ind']) && $_SESSION['logget_ind'] == true) {
$brugernavn = mysql_real_escape_string($_SESSION['brugernavn']);
$getSko = mysql_query("SELECT `navn` FROM `chat_clothes` WHERE `ejer` = '$brugernavn' AND `type` = 'sko'");
while ($showSko = mysql_fetch_array($getSko)) {
$navn = htmlentities($showSko['navn']);
echo "<option value=\"$navn\">$navn</option><br />";
}
}
?>
</select>
<?php
if (isset($_POST['sko'])) {
$shoes = mysql_real_escape_string($_POST['sko']);
$id = mysql_real_escape_string($_SESSION['id']);
mysql_query("UPDATE chat_brugere SET shoes='$shoes' WHERE id='$id'");
echo 'sko er opdateret!';
}
?>
<p style="text-align:center;">
<input type="submit" name="btn" value="Opdater!" />
</p>
</form>
</div> <!-- sidebar_content -->
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
It is many years since I last used PHP, but shouldn't echo "<option value=\"$navn\">$navn</option><br />"; be something like echo "<option value=\"" . $navn . "\">" . $navn . "</option>"; to ensure that the value, rather than the variable name is concatenated. Plus the <br /> is not necessary as options are stacked anyway and the breaks will be saved for outside of the select rather than inside its options list.
-
It is many years since I last used PHP, but shouldn't echo "<option value=\"$navn\">$navn</option><br />"; be something like echo "<option value=\"" . $navn . "\">" . $navn . "</option>"; to ensure that the value, rather than the variable name is concatenated. Plus the <br /> is not necessary as options are stacked anyway and the breaks will be saved for outside of the select rather than inside its options list.
PHP: Strings - Manual[^] If the string uses double-quotes, variables referenced within the string will be expanded. So the two options will produce the same output. :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
