Re: Run a SQL query based on HTML drop down selection?

On 30 Oct, 07:34, GazK <inva...@xxxxxxxxxxxxxxx> wrote:
Jerry Stuckle wrote:
Joe wrote:
This is my HTML form:

<form method=get action="home.php">
<INPUT TYPE = "Text" VALUE = "" NAME = "title"><br>
<select name="searchby">
<option value="Title">Title</option>
<option value="Year">Year</option>
<option value="Genre">Genre</option>
<option value="Director">Director</option>
</select>

And here is the relevant PHP query:

$query = "SELECT Title, ReleaseYear, Rating, Director, RunningTime,
Genre
FROM movie
WHERE $searchby LIKE '%$title%'
GROUP BY $searchby";

Assume that "$title" is a string of text (not necessarily a movie
title). My problem seems to be that I cant use the variable $searchby
within a SQL query. Is there a workaround for this?

There should be no problem - as long as your columns are named Title,
Year, Genre and Director.

What do you get when you echo $query, and what is your error message?

A couple of possibilities to try:

- does $searchby need to be in quotes? ie .... GROUP BY '$searchby'"

No. Its a column name.

- depending on your php setup, you may need to use $_GET['searchby']
rather than $searchby - although this would affect your other form
parameters too.

No - register_globals is deprecated - even if it is configured as 'on'
you should write your code as if it were off.

And, even though MySQL only allows one query per function call, there
should be validation in place to prevent SQL injection.

OP's code should work.

C.
.