Storing query result in variable

Question

I have a form where people can subscribe or unsubscribe to a newsletter(this works). The problem is that when I want to insert the data to a database I get a problem. The form itself is this:

<form action="subscriptionsedit2.php?CusID=&lt;?=$_GET[">
    " name="frmEdit" method="post"&gt; <?php  
    $objConnect = mysql_connect("localhost","root","root") or  die(mysql_error());  
    $objDB = mysql_select_db("NAW");  
    $strSQL1 = "SELECT ID, Titel FROM Mail";
    $strSQL = "SELECT * FROM Klant WHERE ID =  '".$_GET["ID"]."' "; 
    $objQuery = mysql_query($strSQL);  
    $objQuery1 = mysql_query($strSQL1); 
    $objResult = mysql_fetch_array($objQuery);
    if(!$objResult)  
    {  
    echo "Not found ID=".$_GET["ID"];  
    }  
    else  
    {  
    ?>

    <fieldset>
        <legend>Wijzig</legend>

        <table width="600" border="1">
            <tr>
                <th width="91">
                    <div align="center">
                        ID
                    </div>
                </th>
            </tr>

            <tr>
                <td>
                    <div align="center">
                        <?=$objResult["ID"];?>
                        </div>
                </td>
            </tr>
        </table><br>

        <table width="600" border="1">
            <tr>
                <th width="91">
                    <div align="center">
                        ID
                    </div>
                </th>

                <th width="91">
                    <div align="center">
                        Subscribe
                    </div>
                </th>

                <th width="91">
                    <div align="center">
                        Unsubscribe
                    </div>
                </th>
            </tr><?php 
            $i = 0;  
            while($objResult1 = mysql_fetch_array($objQuery1))  
            {  
            $i++;  
            ?>

            <tr>
                <td>
                    <div align="center">
                        <?=$objResult1["ID"];?>
                        </div>
                </td>

                <td>
                    <div align="center">
                        <input type="checkbox" name="sub" value="10">
                    </div>
                </td>

                <td>
                    <div align="center">
                        <input type="checkbox" name="sub" value="90">
                    </div>
                </td>
            </tr><?php  
            }  
            ?>
        </table>
    </fieldset><!-- content --><input type="submit" name="submit" value="Submit"> <input type="button" name="cancel" value="Cancel" onclick="window.location='klanten.php'"> <?php  
    }  
    mysql_close($objConnect); 
    ?>
</form> 

On subscriptionsedit2.php The data will be inserted in the database like this:

mysql_connect('localhost','root','root');
mysql_select_db('NAW') or die (mysql_error());

$Klant_ID = $objResult["ID"];
$Mail_ID = $objResult1["ID"];
$Status = $_POST['sub'];
$Datum = date("d-m-y");

$sql = mysql_query("INSERT INTO Subscriptions (Klant_ID, Mail_ID, Status, Datum) VALUES ('".$Klant_ID."', '".$Mail_ID."', '".$Status."', '".$Datum."')") or die (mysql_error());

This is the error I get: Notice: Undefined variable: objResult in /var/www/Mail/subscriptionsedit2.php on line 16 Notice: Undefined variable: objResult1 in /var/www/Mail/subscriptionsedit2.php on line 17

As you can see there is no value in the variables $Klant_ID and $Mail_ID . So my question is how do I store the Klant_ID (<?=$objResult["ID"];?>) and the Mail_ID (<?=$objResult1["ID"];?>) into a variable correctly? I hope this question is clear enough but if you have any questions about it just comment^^.If anyone has an idea on how to do this it would be great!

Answer 1

BTW mysql, mysqli or PDO, the $objResult["ID"] doesn't exist while submiting your form !

It have to be transmited by your form with a post var.

You'll have to do something like following to transmit your vars while submiting your form :

<input type"text" name="objResult" value="<?php echo $objResult["ID"]; ?>" />

And then you could access it in your subscriptionsedit2.php with $_POST['objResult']

Edit

If you don't want to display it, hide this input :

<input type"hidden" name="objResult" value="<?php echo $objResult["ID"]; ?>" />

Answer 2

Your app there is very susceptible to injection attacks.

First off, never, never, NEVER use raw $GET_ and $POST_ values in your SQL statements.

Secondly: Use mysqli_ instead of mysql_ - mysql_ is deprecated and getting removed.

Third: if you must use mysql_, make sure you use mysql_real_escape_string

Fourth: If you're inserting into an integer field in a database, don't use quotes around the value.

Fifth: I'm not sure where your various code snippets relate to each other, but try dumping the values of $Klant_ID and $Mail_ID to a log file so you can make sure they actually have the values in them. The problem might be earlier in the code, and not in the SQL statement area itself.