2

I'm currently working on an online order form and having a really weird problem. I have a drop down menu and which options are values from one of the column in database table. Here is the html code:

<form name="form" method="post" action="placedOrder.php"><table width="70%" border="5" align="center"><tr>
<th scope="row">Item Name</th>
<th scope="row">Item SKU</th>
<th scope="row">Quantity</th>
<th scope="row">Special Note</th>
<th scope="row">Unit Price</th>
<th scope="row">Total Price</th></tr><tr>
<th scope="row">
<?php
include('connect.php');

$result = mysql_query("SELECT description FROM products") 
            or die(mysql_error());
print "<select name='description' value='description'>";
print "<option value='' disabled selected>Please Select A Product</option>";
while ($info = mysql_fetch_array($result))
{
        $p = $info["description"];
        print "<option value=$p>".$p."</option>";
}
print "</select>";
?>
</th>
<th scope="row"><input name="sku_1" id="sku_1" readonly /></th>    
<th scope="row"><input name="qty_1" /></th>
<th scope="row"><input name="note_1" /></th>  
<th scope="row"><input name="uPrice_1" id="uPrice_1" readonly /></th>
<th scope="row"><input name="tPrice_1" readonly /></th></tr></table><input type="submit"/></form>

And when I was going to work on the placedOrder.php for return values from html and store into database, I keep having the page return blank and nothing shows up. And I found out the reason might be the 'description' part. You may see in the following code:

<?php   
include('connect.php');
$p = $_POST['description'];
echo $p;
$result = mysql_query("SELECT sku_id, unit_price FROM products WHERE description='{$_POST['description']}'")
            or die(mysql_error());
while($row = mysql_fetch_array( $result )) {
            echo $row[0];
            echo $row[1];
    }

?>

The $_POST['description']; part should return my product name from database and which is "48X72 CORDLESS BLACKOUT CELLULAR SHADE 9/16" WHITE" but after i echo it out only return "48X72", rest of the value are disappear. Did I miss anything in the code?

Improve this question
3
  • 4
    warning your code is extremely vulnerable to sql injection attacks!!! Commented Nov 1, 2014 at 0:20
  • 1
    ok... since I'm new and self-learning so I'm not sure what exactly is sql injection attack but thank you! I'll try to find out Commented Nov 1, 2014 at 0:25
  • 1
    Start using PDO or mysqli_* functions and bind your values before you send your data back and forth. You'll be able to prevent most injection vulnerabilities this way. mysql_* functions are officially deprecated and not recommended for use Commented Nov 1, 2014 at 2:31

1 Answer 1

Reset to default
3

Quote your values in HTML, and escape your data.

print "<option value=$p>".$p."</option>";

To:

print "<option value=\"".htmlspecialchars($p)."\">".htmlspecialchars($p)."</option>";

How I'd prefer it written:

$p = htmlspecialchars($p);
printf('<option value="%s">%s</option>', $p, $p);

You're only getting the first part because that's all there is before the first space in the string and the browser is interpreting that as the value, and the rest as syntax errors.

For that matter, all property values in HTML should be quoted:

<tag stringproperty="value" integerproperty="42"></tag>

and if you want to get really strict, the only permissible quotes are double quotes.

However, most browsers operate in a more or less permanent "quirks" mode and accept/render all sorts of standards-violating HTML because "that's how it's always been done".

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

It works! thanks so much. I didn't expect that part having the problem because I did the same type of coding before and that works fine so..

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.