PHP and HTML and FORM Select Statement

#1

Hi there!

I am trying to use PHP and a form with a SELECT statement. When I try to save the content, it will save it correctly the first time, but the second time it only saves the first word of the content (it cuts off the other words in the content).

The content is a question. So if the question is “How did you hear about us?” it will only save “How” (it cuts off all the other words). I would love to solve this issue. Thank you sooo much if you can help me!!

  • Andrea :slight_smile:

Here is my code:

PHP:

       	<OPTION id='item20_0_option' selected value='" . $row['Q6_question'] . "'>
		'" . $row['Q6_question'] . "'
        </OPTION>	

SQL:
$sql = “UPDATE Volunteers
SET FirstName = '” . $_POST[‘FirstName’] . “’,
LastName = '” . $_POST[‘LastName’] . “’,
Occupation = '” . $_POST[‘Occupation’] . “’,
Relax = '” . $_POST[‘Relax’] . “’,
Q4_question = '” . $_POST[‘Q4_question’] . “’,
Q4_answer = '” . $_POST[‘Q4_answer’] . “’,
Q5_question = '” . $_POST[‘Q5_question’] . “’,
Q5_answer = '” . $_POST[‘Q5_answer’] . “’,
Q6_question = '” . $_POST[‘Q6_question’] . “’,
Q6_answer = '” . $_POST[‘Q6_answer’] . “’
WHERE Email = '” . $_POST[‘Email’] . “’” ;

#2

You should never insert user submitted data directly into the query. Atm your code is vulnerable to sql injection hacks. Look into prepared/parameterized queries, then your queries should look something like this.

[php]$sql = ‘UPDATE Volunteers
SET FirstName = ?
LastName = ?
Occupation = ?
Relax = ?
Q4_question = ?
Q4_answer = ?
Q5_question = ?
Q5_answer = ?
Q6_question = ?
Q6_answer = ?
WHERE Email =?’;[/php]

[hr]

Please show the output of var_dump($sql) - the query itself may give an idea of what’s wrong.

#3

Yes, listen to JimL. Also, your quotes are all messed up. Normally, the flow would be more like this:

  1. Pull the data from the form into PHP variables.

  2. Validate and Sanitize the data inside the PHP variables.

  3. Execute the query.

To do #1 it would just be $Q4_answer = $_POST[“Q4_answer”]; nothing more.
Then, when using that answer no further quotes are needed…