drop down list and mysql

[sridharao]

I am just starting.. .I am facing difficulty in solving a simple issue. Please help me with code.

There is a table with names of individuals and their addresses. Say, the column 1 is name, column 2 is add1, column 3 is add2.

I want a simple program in php that would display the ordered list of individual names in a drop down list.When the user selects one of them and submits it via a form, mysql should locate the record that matches the name and display the address (add1 and add2).

simple, but I am not getting it right.

I am getting the code to display the drop down list from the table, but when selected, only half of it is getting posted. Say, the name is Anthony Gonzalves in the list, when clicked, only Anthony gets passed and hence it does not match any record in the table. What is happening?

Here is the code:

PHP Code:

$con= mysql_select_db("bacteria");

$alln = @mysql_query('select name from detail order by name desc');

if (isset($_POST['button'])){
    $select=$_POST['selecty']; 

    $result=mysql_query("select * from detail where name='$select'");
    if (mysql_num_rows($result) == 0) {
        die ("No rows found!");
    }
    while($row=mysql_fetch_assoc($result)) {
        print_r($row);
        echo ($row['Add1']);
        echo ($row['Add2']);
    }

    mysql_free_result($result);
    mysql_close(); 

} else {

?>
<form name="form1" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 

<select name="selecty">

<?php
while($nm=mysql_fetch_array($alln)){
    echo ("<option value=".$nm['name'].">".$nm['name']."</option>");
}
?> 
</select>

<input type="submit" name="button" value="Submit" />
</form>
<?php
}

?>

[the182guy]

The problem is this line

PHP Code:

echo ("<option value=".$nm['name'].">".$nm['name']."</option>"); 


When rendered it will look like this:

Code:

<option value=John Smith>John Smith</option>

Do you see the problem? The value needs to be in quotes because there could be spaces in the name. so change it to:

PHP Code:

echo ("<option value=\"".$nm['name']."\">".$nm['name']."</option>"); 


or

PHP Code:

echo ("<option value='".$nm['name']."'>".$nm['name']."</option>"); 


One other thing... your script is vulnerable to attacks via SQL Injection. See here for how to prevent SQL Injection in PHP.

Hope this helps

[sridharao]

Thanks for pointing out the mistake.

Coming to the code injection part, I did go through the article in the link; which of the two is better to screen the user input"
mysql_real_escape_string OR stripslashes

[the182guy]

stripslashes() will do the opposite of mysql_real_escape_string(). It will remove the slashes that were added. Are you thinking of addslashes()? addslashes() will appear to do the same as mysql_real_escape_string() but I have heard addslashes() can be exploited.

I use mysql_real_escape_string() myself but there are other ways, such as sprintf() which checks the data type of the inputs, e.g. when using an ID number, you can tell sprintf to not allow a string to be placed in that part of the query.

Hope this helps!

[StrangerInBeijing]

I started playing with prepared statements lately. Pretty much solve all of this problems.