0

I have a form where the user inputs their ID and this then populates their name from a database? There is a whole form I just copied the relevant parts and the sql below.

User ID: <input value="User ID" name="user_id">

$sql = "SELECT user_firstname, user_surname FROM users_tbl WHERE xxxx = users_tbl.user_id"
$result = pg_query($sql);

I have made it this far, but im not sure what to do.

matino
  • 17,199
  • 8
  • 49
  • 58
Tom
  • 644
  • 3
  • 9
  • 25

2 Answers2

1

You should filter GET or POST form variables. So the right way would be:

$sql = "SELECT user_firstname, user_surname FROM users_tbl WHERE users_tbl.user_id= ".$_POST['user_id'];
$result = pg_query($sql);

Also don't forget to filter POST and GET variables from sql injections

freeland
  • 171
  • 3
  • 18
  • This is how i thought it would be solved. I guess the form has to be sent first? which will then place the fields into the submit button variables from the form? – Tom Jul 05 '13 at 13:43
  • Yes the form should be sent first. All the form variables will be placed in $_POST variable – freeland Jul 05 '13 at 14:39
0

You probably want something like ...

page1.php

<form method="POST" action="page2.php">
User ID: <input name="user_id" value="User ID">
<input type="submit" value="go">
</form>

page2.php

$id = mysql_escape_string( $_POST['user_id'] );
$sql = "SELECT `user_firstname`, `user_surname` FROM `users_tbl `WHERE `id` = '$id' LIMIT 1";
...
designosis
  • 5,182
  • 1
  • 38
  • 57
  • I could also use Ajax I guess – Tom Jul 05 '13 at 14:25
  • indeed, depends on what will change on the page. if only a few elements on page change (like "sign in / register" becomes "account / sign out"), or nothing at all, ajax is the better user experience. – designosis Jul 06 '13 at 08:23