Insert form value into SQL query using jquery or javascript

Question

Insert form value into SQL query using jquery or javascript

I have the following fields in the form. The page uses .Net and MS SQL

<input type="text" name="Title" id="Title" />
<input type="text" name="FirstName" id="FirstName" />
<input type="text" name="LastName" id="LastName" />

I would like to be able to capture these values and write them to the SQL query further in the same form ...

SELECT LastApp, 
FROM   kb_xmod_modules 
WHERE  infby1 = 'Dr Brian Cox'

In this example, Dr. Brian Cox will be replaced with any values entered in Title, FirstName and LastName

If anyone has any ideas, that would be great ...

thank

+3

javascript jquery sql .net dotnetnuke

Willb Mar 22 '11 at 7:23

source share

3 answers

Luca filosofi · Answer 1 · 2011-03-22T11:50:45+0000

<form id="myForm">
<input type="text" name="Title" id="Title" />
<input type="text" name="FirstName" id="FirstName" />
<input type="text" name="LastName" id="LastName" />
<input type="submit"/>
</form>

$(function() {
   $('#myForm').submit(function(){
      var query = $(this).serialize();
      $.post("post.php", query);
      return false;
  });
});

now your post.php page will get values $_POSTsimilar to this:

$_POST['FirstName'] . $_POST['LastName'] .  $_POST['Title']

So

SELECT LastApp, 
FROM   kb_xmod_modules 
WHERE  infby1 = '".mysql_real_escape_string($_POST['FirstName'].' '.$_POST['LastName'])."'

Elad lachmi · Answer 2 · 2011-03-22T07:33:36+0000

You need to do this for the where clause:

WHERE infby1 = "'" + $('Title').val() + " " + $('FirstName').val() + " " + $('LastName').val() + "'"

Havnt tested this, but this should do the trick.

bw_üezi · Answer 3 · 2011-03-22T07:59:30+0000

You should not expose SQL to the client by creating an SQL string with javascript or jQuery on the client. this task must be performed on the server side. example of SQL injection - if one input field has text, for example

a';DROP TABLE `kb_xmod_modules`; SELECT * FROM `kb_xmod_modules` WHERE 't' = 't

escaping in your input 'with ''is one way to avoid sql injection. A prepared sql statement is another solution.

You must indicate in which environment you are programming your project. What programming language?

Insert form value into SQL query using jquery or javascript

More articles: