Post/Insert javascript variables to mySQL database table - presumably with ajax &/or jquery - How?

Question

I'm posting my form below. Variable "e" in the form below is supposed to be the contents of a table cell on the same page. The part below that is in a file called insert.php. How can I put var e in mysql?

There are already a lot of answers to this question on google (and this site) with code that doesn't specify what to replace, with what, at what spots in the code, and what files which codes go in. Help us newbies with specifics! The code below seems to be a standard, how would myself and others modify this code to work with a variable? Var e being the contents of a table cell on the same page.

Thanks!

var e = document.getElementById("ItemName1").innerHTML);


<form action="insert.php" method="post">
<input type="hidden" name="save_name" value=e>
<input type=image
onmouseover='this.src="http://www.mysite.com/images/MouseOver.png"'
onmouseout='this.src="http://www.mysite.com/images/MouseOut.png"'
src="http://www.mysite.com/images/MouseOut.png">
</form>

<html>
<head>
</head>
<body>

<?php
$con = mysql_connect("localhost","removed for now","removed for now");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("removed for now", $con);

$sql="INSERT INTO Temp_Name (item_name) VALUES ('$_POST[save_name]')";

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
echo $sql;

mysql_close($con)
?> 
</body>
</html>

score 1 · Answer 1 · edited May 23 '17 at 10:34

Change this line

$sql="INSERT INTO Temp_Name (item_name) VALUES ('$_POST[save_name]')";

to

$name = mysql_real_escape_string($_POST['save_name']);
$sql="INSERT INTO Temp_Name (item_name) VALUES ('$name')";

And read more about SQL Injection

and in a real scenario please don't echo your query string

To get the value of the input using javascript here is what you do

<input type="hidden" name="save_name" id="input1" value="e">

javascript:

var value = document.getElementById("input1").value;

Jared Ng · Answer 2 · 2011-08-10T22:41:55.513

0

First off, your Javascript has an unmatched closing brace, which I have to assume is accidental. Corrected version:

var e = document.getElementById("ItemName1").innerHTML;

To set the contents of this variable as the value of the hidden text field, you should (on pageload) do something like:

document.getElementById("hiddenelement").value=e;

and then change your form's hidden element to:

<input type="hidden" name="save_name" id="hiddenelement">

As for your mySQL query, what you have right now is extremely dangerous. You're executing an unescaped query that contains text that came from the client-side.

Please read about the vulnerability known as SQL injection

edited Aug 10 '11 at 22:41

answered Aug 10 '11 at 21:52

Jared Ng

4,079
2
16
18

I tried both of your ways and they both put the letter e in mysql instead of the td value. Something is reading the variable as a string instead of as a variable (I think). This line is now in body onload - var e = document.getElementById("ItemName1").value); – should_be_simple Aug 10 '11 at 22:54
The code I gave you puts the letter e in MySQL because that's what the hidden text field contains (you put ``). Try wrapping the table cell value you want in `` tags, and then use `var e = document.getElementById("somename").innerHTML` on page load. – Jared Ng Aug 10 '11 at 23:04
I tried that and it still is putting the letter "e" in mysql. – should_be_simple Aug 10 '11 at 23:20
Can we see some example HTML of the table you're trying to pull from? It would also be helpful to see the javascript you have after the suggested changes. – Jared Ng Aug 10 '11 at 23:28

Post/Insert javascript variables to mySQL database table - presumably with ajax &/or jquery - How?

2 Answers2