0

I have a form where the user inputs their ID and this then populates their name from a database? There is a whole form I just copied the relevant parts and the sql below.

User ID: <input value="User ID" name="user_id">

$sql = "SELECT user_firstname, user_surname FROM users_tbl WHERE xxxx = users_tbl.user_id"
$result = pg_query($sql);

I have made it this far, but im not sure what to do.

Improve this question

2 Answers 2

Reset to default
1

You should filter GET or POST form variables. So the right way would be:

$sql = "SELECT user_firstname, user_surname FROM users_tbl WHERE users_tbl.user_id= ".$_POST['user_id'];
$result = pg_query($sql);

Also don't forget to filter POST and GET variables from sql injections

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This is how i thought it would be solved. I guess the form has to be sent first? which will then place the fields into the submit button variables from the form?
Yes the form should be sent first. All the form variables will be placed in $_POST variable
0

You probably want something like ...

page1.php

<form method="POST" action="page2.php">
User ID: <input name="user_id" value="User ID">
<input type="submit" value="go">
</form>

page2.php

$id = mysql_escape_string( $_POST['user_id'] );
$sql = "SELECT `user_firstname`, `user_surname` FROM `users_tbl `WHERE `id` = '$id' LIMIT 1";
...
Improve this answer

2 Comments

I could also use Ajax I guess
indeed, depends on what will change on the page. if only a few elements on page change (like "sign in / register" becomes "account / sign out"), or nothing at all, ajax is the better user experience.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.