Setting SQL Query equal to an Array

Question

I am doing a query as follows

select id, prefix, fname, lname, suffix, city, state, zip, bio, votes from stateChair_nominees where id=$candidate_id

My candidate id is equal to the post method.

$candidate_id = $_POST;

I keep getting this error..

select id, prefix, fname, lname, suffix, city, state, zip, bio, votes from stateChair_nominees where id=Array" Invalid query1Unknown column 'Array' in 'where clause

I am getting the invalid query1 error because it goes to that on a die

$result_candidate = mysql_query($sql_candidate, $link) or die("Invalid query1". mysql_error());

Why is my id saying equal to array?

where id=Array"

I want my sql statement to be equal to each id upon the vote. How do I get my query to do this?

Thanks :)

Answer 1

$_POST is an array containing the entire form as received in the request. It might help you to view

print_r($_POST);

You will want to reference the actual form variable name, for example:

$candidate_id = $_POST['id'];

If you are expecting an array of id's, your sql will need to use the IN clause and implode the id array.

$candidate_ids = $_POST['id'];

/* escape $candidate_ids here, you can use array_walk for this */

$sql = 'select ... where candidate_id in (' . implode(',', $candidate_ids) . ')';

Make sure you are properly escaping your dynamic sql as well.

Answer 2

$_POST is an array of all values passed via POST. If you're submitting a form containing an input element with name 'id', like this,

`<input name="id" value="Your_ID_Here" />`

you would use $_POST['id'].

Also, your query is vulnerable to SQL injection. Escape with that value with mysql_real_escape_string() or use prepared statements (mysqli or PDO).