inserts concatenated value in mysqli

Navigation
0

good afternoon, I have a form on a page where you get values, which through a file attached to the database, well now I want the value of a field concatenated me with a fixed string and two variable data, how do I include it in the code?

field I want to calcuate: marks get the data of the following chain: link

and the values that I want to concatenate are the ones I have in the initial variables and color, so that the value that should be inserted in the table should be this way: link

The code that I have and if it works is the following, but there it takes the form values 

$sql = "INSERT INTO 'stv_t_instaladores'
            (
            'nombre_completo',
            marca,
            estatus,
            'iniciales',
            'colorx'
            )
            VALUES
            (
            '$_POST[nombre_completo]',
            '$_POST[marca]',
            '$_POST[estatus]',
            '$_POST[iniciales]',
            '$_POST[colorx]'
            );";

I hope you gave me to understand, thank you.

    
asked by Pedro Jimenez 12.06.2017 в 21:32
source

3 answers

0

Son, first of all you do not need to put in the columns separated by quotation marks in the citation, besides every time you include something that comes by post (an array) you can concatenate it in the string in the following way: 

$sql = "INSERT INTO stv_t_instaladores
            (
            nombre_completo,
            marca,
            estatus,
            iniciales,
            colorx
            )
            VALUES
            (
            '".$_POST[nombre_completo]."',
            '".$_POST[marca]."',
            '".$_POST[estatus]."',
            '".$_POST[iniciales]."',
            '".$_POST[colorx]."'
            );";

Another way to do it using Injection of variables to the string can be: 

#1 pasar los valores del post a variables:
$nombre_completo = $_POST[nombre_completo];
$marca= $_POST[marca];
$estatus= $_POST[estatus];
$iniciales= $_POST[iniciales];
$colorx= $_POST[colorx];

# y luego concatenarlo:

    $sql = "INSERT INTO stv_t_instaladores
                (
                nombre_completo,
                marca,
                estatus,
                iniciales,
                colorx
                )
                VALUES
                (
                '$nombre_completo',
                '$marca',
                '$estatus',
                '$iniciales',
                '$colorx'
                );";

Citing that everything is text, or descimales, I have placed the values in single quote ('), in such a case you want to see the string you just have to put an echo in front of the variable. 

echo $sql;

EYE: The code as you have it now is vulnerable to SQL Injection. You are programming in the most insecure way there is, I recommend you move to PDO and Bind the values Link

    
answered by 12.06.2017 / 22:32
source
0

With this should be enough 

$sql = "INSERT INTO 'stv_t_instaladores'
        (
            'nombre_completo',
            marca,
            estatus,
            'iniciales',
            'colorx',
            'marcas'
        )
        VALUES
        (
            '$_POST[nombre_completo]',
            '$_POST[marca]',
            '$_POST[estatus]',
            '$_POST[iniciales]',
            '$_POST[colorx]',
            '" . $_POST[iniciales] . $_POST[colorx] . "'
        );";
    
answered by 12.06.2017 в 21:48
0

Firstly I want to warn, as has been said in some comment, that the code as you have it now is vulnerable SQL injection .

It is a bad practice to build complete SQL strings , since this string can be maliciously modified and include table deletion code, or queries to obtain user keys, etc.

In response to the core of your question, you could get the content of your URL dynamically using $_SERVER['REQUEST_URI'] , which is used to obtain the URI used to access the page. In this case it will return: /marca/pj/#0000ff , then you can get each part using explode .

Example:

VIEW DEMO 

<?php 

/*
    * Rextester no permite usar $_SERVER['REQUEST_URI']
    * Creamos el resultado que daría de forma manual
    * En tu servidor debería funcionar de forma dinámica con esta línea:
    * $miURL=$_SERVER['REQUEST_URI'];
*/

    $miURL=$_SERVER['REQUEST_URI'];

    // Creamos un arreglo usando el separador /
    $arrURL= explode('/', $miURL);

    // Leemos e imprimimos cada parte
    $marca=$arrURL[1];
    $inicial=$arrURL[2];
    $color=$arrURL[3];

    echo $marca."\n";
    echo $inicial."\n";
    echo $color."\n";

?>

Result 

marca
pj
#0000ff

The next step would be to do the INSERT , but applying prepared queries to it.

    
answered by 13.06.2017 в 03:24
Do not show Hosting when sending e-mail with PHP Update inventory