php select the table, then column in SQL by PHP

[Sigmahokies]

Hi everyone, I'm trying to create to select the name of table, then pick column in PHP, I succeed pick table, then put name table in variable, then put this variable to end of SQL syntax, then pick column name, then submit, but it went error by broke and violate of SQL syntax. Hey, It's not about SQL injection, this database is very useless. it's just practice.

Can you help why it won't work?

[php]

$sqltable = "SHOW TABLES";

$querytable = $GaryDB->query($sqltable);

while($row3 = $querytable->fetch()) {
    $table .= "<option value='$row3[0]'>" . $row3[0] . "</option>";
}
    if(isset($_POST['table'])) {
        $table2 = $_POST['table'];

        $sql = "SHOW COLUMNS FROM $table2 WHERE Field NOT IN ('id')";

        $query = $GaryDB->query($sql);

        while ($row = $query->fetch()) {
            $list .= "<option value='$row[0]'>" . $row[0] . "</option>";
        }
}
        if(isset
        ($_POST['col'])){
        $col = $_POST['col'];

        $selsql = "SELECT $col FROM $table2";

        $colquery = $GaryDB->query($selsql);

        while ($row2 = $colquery->fetch()) {
            $list2 .= "<tr><td>" . $row2[0] . "</td></tr>";
        }
        } else {
            $list2 = "No column on table";
        }
?>
<html>
<head>
<title>Gary Taylor's demonstration PHP Page</title>
</head>
<body>
<p>Welcome to Gary Taylor's demonstration in PHP page.</p>
<br />
<form action="demonstration.php" method="post">
    <table>
        <tr><td><?php echo $selsql ?></td></tr>
        <tr><td>Please select table: <select name="table">
                    <?php echo $table ?>
                </select></td><td><input type="submit" name="submit2" value="selected"></td></tr>
    </table>

</form>
<form action="demonstration.php" method="post">
<table>
    <tr><td colspan="2">Sample of SELECT in column's name in table.</td></tr>
    <tr><td>SELECT <select name="col">
                    <?php echo $list ?>
            </select> FROM <?php echo $table2 ?></td><td><input type="submit" name="submit" value="selected"></td></tr>
</table>
</form>
    <table>
        <?php echo $list2 ?>
    </table>
</body>
</html>

[/php]

Thank you in advance times.

[niche]

Where does it break exactly? What's the exact error message? Where's your error reporting? 

https://www.w3schools.com/php/func_mysqli_error.asp

Edited May 6, 2021 by niche

[Sigmahokies]

Niche,

I'm using PDO, not mysqli. I just set up the connection, it works perfectly, but I'm struggle with correct SQL syntax. like this:

Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1

[niche]

Which query query is blowing up?

BTW, I use try/catch to do my PDO error reporting. That link was the quickest w3 link I could find as a error handling example.

Edited May 7, 2021 by niche

[Sigmahokies]

I think I know where it goes. I think second post didn't take from table name because it just took one name from second select, I added array into two

Like this: <select name="col[]"> then $_POST['col'][0] && $_POST['col'][1]; is that incorrect?

I mean, php put column name in, but it didn't put table name in SQL syntax

Edited May 7, 2021 by Sigmahokies

[niche]

If it works, it's correct.

If it doesn't, please post the relevant actual HTML that's produced, emphasis on relevant. 

[Sigmahokies]

Here you go

<?php

include("connection.php");

if(isset($mysqli_error)) {
    echo $mysqli_error;
}

$sqltable = "SHOW TABLES";

$querytable = $GaryDB->query($sqltable);

while($row3 = $querytable->fetch()) {
    $table .= "<option value='$row3[0]'>" . $row3[0] . "</option>";
}
    if(isset($_POST['table'])) {
        $table2 = $_POST['table'];

        $sql = "SHOW COLUMNS FROM $table2 WHERE Field NOT IN ('id')";

        $query = $GaryDB->query($sql);

        while ($row = $query->fetch()) {
            $list .= "<option value='$row[0]'>" . $row[0] . "</option>";
        }
    }
        if (isset
        ($_POST['col'])) {
            $col = $_POST['col'][0];
            $table3 = $_POST['col'][1];

            $selsql = "SELECT $col FROM $table3";

            $colquery = $GaryDB->query($selsql);

            while ($row2 = $colquery->fetch()) {
                $list2 .= "<tr><td>" . $row2[0] . "</td></tr>";
            }

        } else {
            $list2 = "No column on table";
        }

?>
<html>
<head>
<title>Gary Taylor's demonstration PHP Page</title>
</head>
<body>
<p>Welcome to Gary Taylor's demonstration in PHP page.</p>
<br />
<form action="demonstration.php" method="post">
    <table>
        <tr><td><?php echo $selsql ?></td></tr>
        <tr><td>Please select table: <select name="table">
                    <?php echo $table ?>
                </select></td><td><input type="submit" value="selected"></td></tr>
    </table>

</form>
<form action="demonstration.php" method="post">
<table>
    <tr><td colspan="2">Sample of SELECT in column's name in table.</td></tr>
    <tr><td>SELECT <select name="col[]">
                    <?php echo $list ?>
            </select> FROM <?php echo $table2 ?></td><td><input type="submit" value="selected"></td></tr>
</table>
</form>
    <table>
        <?php echo $list2 ?>
    </table>
</body>
</html>

Edited May 7, 2021 by Sigmahokies

[niche]

That's the code. If it's not working, show the the least amount of html, that shows the actual available inputs, that go into the sql.

EDIT:

Or, the resulting $_POST array.

 

Edited May 7, 2021 by niche

[Sigmahokies]

I was right, html shows table name didn't be post. how can I post table name? I used array to take two name to post, but it didn't work. Like this:

select name="col[]",

then,

$col = $_POST['col][0];

$table3 = $_POST['col'][1];

but it didn't post from col 1

[niche]

I suppose you do it with 

$sqltable = "SHOW TABLES";

I've never used it, but a quick google says it should work.

Then, all you need to do is get the results into your flow.

Voila!

EDIT: Let me know if you need help with that.

Edited May 7, 2021 by niche

[Sigmahokies]

I did that, show tables is work. it's what not work is name in html did not take two array to post, to send to SQL syntax. It took one name from, not two. 

my echo shows :

 

Welcome to Gary Taylor's demonstration in PHP page.

 

SELECT FirstName FROM
Please select table:                      Memberscityuser_details

Sample of SELECT in column's name in table.
SELECT                                   FROM

SELECT FirstName FROM

Look at "Select FirstName FROM" that's where table name is missing

[Sigmahokies]

I wish I can show you by record screen, but this forum limit to 500 KB

[niche]

This produced a list of my tables:

		try {	
			$sql = '
				SHOW TABLES
			';
			$stmt0 = $db0->prepare($sql);
		} catch (PDOException $e) {
			echo $e->getMessage() . '<br>';			
		}

		try {	
			$stmt0->execute();
		} catch (PDOException $e) {
			echo $e->getMessage() . '<br>';
		}		
		
		$tables =  $stmt0->fetchall(PDO::FETCH_ASSOC);
		var_dump($tables);

Get $tables into your flow.

[niche]

I think this is the problem:

  $sql = "SHOW COLUMNS FROM $table2 WHERE Field NOT IN ('id')";

EDIT:

This is the solution:

$sql = "SHOW COLUMNS FROM ' . $table2 . ' WHERE Field NOT IN ('id')";

Remember, $sql is a string!

Edited May 7, 2021 by niche

[Sigmahokies]

I said show tables work fine. my point is inside html, name in select didn't take TWO names. I set up array to take two. Like this:

in HTML - <select name="col[]">

in PHP - $col = $_POST['col'][0];

               $table3 = $_POST['col'][1];

so, it didn't take name col to second array to post, get it?

 

[niche]

see my last post

[Sigmahokies]

No, add two dot before and after table2 is not solution. SQL syntax will not work. my original shows without dot is working. 

my point is name in select in html did not take two of them, just one took in.

[Sigmahokies]

In HTML

<table>
    <tr><td colspan="2">Sample of SELECT in column's name in table.</td></tr>
    <tr><td>SELECT <select name="col[]">
                    <?php echo $list ?>
            </select> FROM <?php echo $table2 ?></td><td><input type="submit" value="selected"></td></tr>
</table>

in PHP

if (isset
        ($_POST['col'])) {
            $col = $_POST['col'][0];
            $table3 = $_POST['col'][1];

            $selsql = "SELECT $col FROM $table3";

            /*$colquery = $GaryDB->query($selsql);

            while ($row2 = $colquery->fetch()) {
                $list2 .= "<tr><td>" . $row2[0] . "</td></tr>";
            }*/

output: SELECT Name FROM (blank)

[niche]

Then something going wrong in the if.

EDIT:

What's $_POST look like?

Edited May 7, 2021 by niche

[dsonesuk]

If its not a multiple select it should be

<select name="col[]">

<option value=" tablename, columnname"> blah </option>

explode the values from post using ',' as the delimiter into a variable  as array, then use $postarraytest[0] and $postarray[1];

Its not like a checkbox where you have multiple values sent depending on individual checkboxes checked, you are sending multiple values on a single selection.

Edited May 9, 2021 by dsonesuk

[Sigmahokies]

Hi dsonesuk,

I tried that, it won't work. I used session to save first call name from html to post, so i can use session string in second block in php to insert string in SQL syntax. I know it's not properly to do that, do you know how to save string for second block in php?

It's about user pick table, then pick column in table that user picked. Like this:

User pick name of table, then move this string word to SQL syntax, then user pick name of column, then move this strong to SQL syntax. Like - SELECT (picked name of column by user) FROM (picked name of table by user). 

Plus, how can you post as code form in this thread? I mean, screen of gray and courier font on display

Thank you