根据表单输入过滤数据库查询

Hello I can't get my script fully operational.

I have it calculating properly but now need a query for fuel type.

<?php

include 'mysql_connect.php';

$query = "SELECT * FROM fuel_price WHERE FuelType='Oil'" ;

$result = mysql_query($query);
$price= mysql_fetch_array($result);


if(isset($_POST['submit'])){

 echo "The Price Today is  ";

 echo "£"; echo $_POST['qtylitres'] * $price ['Price'];



 } else {

echo "Please select value";

}

?>

I need to to check fueltype selected on form and calculate total accordingly.

eg $query = "SELECT * FROM fuel_price WHERE FuelType='{$_POST['fueltype'];}'" ;

Please help anyone under pressure.

Thanks

include 'mysql_connect.php';

if(isset($_POST['submit'])){
    if($_POST['inputEmail'] == ''){
        echo 'Please enter an email address';
    } else{
        // show price
        $fuelPriceQuery = sprintf("SELECT `Price` FROM fuel_price WHERE FuelType = '%s' LIMIT 1",
                    mysql_real_escape_string($_POST['fueltype']));

        $fuelPriceResult = mysql_query($fuelPriceQuery);
        $price           = mysql_fetch_array($fuelPriceResult, MYSQLI_ASSOC);
        echo 'The Price Today is £'.($_POST['qtylitres'] * $price['Price']);

        // insert email
        $addEmailQuery  = sprintf("INSERT INTO `subscribe`(`Email`) VALUES('%s')",
                            mysql_real_escape_string($_POST['inputEmail']));
        $addEmailResult = mysql_query($addEmailQuery);
        if($addEmailResult){
            echo 'You have successfully subscribed';
        } else{
            echo 'Sorry, we could not subscribe you at this time. Please try again.';
        }
    }
} else {
    echo "Please select value";
}

A couple of things to note:

  1. Always make sure to escape the user input by using mysql_real_escape_string, if you are not using prepared statements such as PDO, MySQLi, etc...

  2. I added the LIMIT clause to the query so mysql_fetch_array will work, because if it returns more than one row, then you would have to handle it in a loop.

  3. It is not necessary to use multiple echos, in fact it is better if you use as few as possible.

$fueltype = mysql_real_escape_string($_POST['fueltype']);
$query = "SELECT price 
          FROM fuel_price 
          WHERE FuelType= '$fueltype'
          ORDER BY pricedate DESC
          LIMIT 1 ";

Explanation

  1. Always use either PDO or mysql_real_escape_string()
  2. Don't do SELECT *, only select the fields you need.
  3. Put the injected $var in single quotes, or mysql_real_escape_string() will not work!
  4. If you only need one price, select only 1. Use limit 1 to get only 1 and order by ... DESC to get the latest.