从名称列表下拉表单中提取MySQL INSERT的ID

时间:2015-02-09 21:13:00

标签: php mysql forms

我有一个表单,员工可以输入他们订购的零件,然后将其显示在列表中供所有员工查看。这是我的表格:

<form method="post" action="../libraries/addpart.php">
                <div class="form-group col-lg-4 col-lg-offset-4">
                    <label for="job_id">Job #</label>
                    <input type="text" class="form-control" name="job_id" placeholder="Job #">
                </div>
                <div class="form-group col-lg-4 col-lg-offset-4">
                    <label for="part_needed">Part Needed</label>
                    <input type="text" class="form-control" name="part_needed" placeholder="Part Needed">
                </div>
                <div class="form-group col-lg-4 col-lg-offset-4">
                    <label for="date_ordered">Date Ordered</label>
                    <input type="date" class="form-control" name="date_ordered">
                </div>
                <div class="form-group col-lg-4 col-lg-offset-4">
                    <label for="vendor_id">Ordered From</label>
                    <select class="form-control" name="vendor_id">
                        <option></option>
                        <?php
                        while ($row = mysqli_fetch_array($vendors)) {
                            // Print out the contents of the entry
                            echo '<option>' . $row['vendor_name'] . '</option>';
                        }
                        ?>
                    </select>
                </div>
                <div class="form-group col-lg-4 col-lg-offset-4">
                    <label for="part_needed">ETA</label>
                    <input type="date" class="form-control" name="part_eta">
                </div>
                <button type="submit" class="btn btn-primary col-lg-2 col-lg-offset-5" name="addbutton">Submit</button>
            </form>

表单使用下拉列表,通过查询vendors表来显示供应商名称而不是ID。提交表单时,我需要将记录插入到仅包含供应商ID的ordered_parts表中,而不是名称。这是我(相当混乱)的尝试:

/*
*   Get Vendor ID
*/
    $vendorname = $_POST['vendor_id'];

    $query = "SELECT * FROM `vendors`
        WHERE vendor_name = $vendorname";
//Get results
    $vendorid = $mysqli->query($query) or die($mysqli->error . __LINE__);

    $job = $_POST['job_id'];
    $part = $_POST['part_needed'];
    $date = $_POST['date_ordered'];
    $vendor = $vendorid['vendor_id'];
    $eta = $_POST['part_eta'];


    $partorder = "INSERT INTO `ordered_parts`
            (job_id, part_needed, date_ordered, vendor_id, part_eta)
            VALUES
            ('$job', '$part', '$date', '$vendor', '$eta')";

    $result = mysqli_query($mysqli, $partorder);
    if ($result) {
        header('Location: ../views/ordered-parts.php');
    } else {
        echo("<br>Failed to add");
    }
}

我得到的错误是:

  

&#34;您的SQL语法出错了;检查手册   对应于您的MySQL服务器版本,以使用正确的语法&#34;

正如您可能知道的那样,在此项目之前,我没有真正的数据库经验。关于如何实现这一目标的任何想法?

1 个答案:

答案 0 :(得分:0)

子查询会在一个声明中将其删除;无需先查询vendors表:

INSERT INTO `ordered_parts`
(job_id, part_needed, date_ordered, part_eta, vendor_id)
VALUES
('$job', '$part', '$date', '$eta', SELECT `vendor_id` FROM `vendors` WHERE `vendor_name` = '$vendor')

话虽如此,A.D。是正确的 - 以这种方式构建查询会使您容易受到 SQL注入的攻击。您可以利用mysqli&#34;参数化&#34;查询以避免这种情况,或使用字符串转义函数。

相关问题
最新问题