In PHP, If i have this assign:
$link = 'Home';
And in another php section i need to grab the value of $link and insert it in a MYSQL query in plain text, like this:
$sql = "SELECT txt FROM Home WHERE id = 1";
Note that $link has been written in the format of it's value in the query. Basically i need to see the inside of the $link var and write it down on the query.
Why i need this -> because i'm creating php files on the fly after the click of a submit button. And inside of the newly created file is a tinymce text editor that needs to read it's text contents from a table that was also created on the fly along with this file.
Do you want something like this:
$sql = "SELECT txt FROM ".$link." WHERE id = 1";
What you want to do is this:
$sql = "SELECT txt FROM $link WHERE id = 1";
^ ^ ^
The double-quotes (") specify that the string has to be interpreted (with single quotes this won't work). Inside the string you can then write the name of the variable ($link) and it will be "supplanted" by its value.
I would'nt recommend doing this because it is vulnerable to SQL-injection and it is a very very bad practice that show that you do things in an uncommon way. Better avoid it!
EDIT: even worse...
When you say in a comment creates a mysql table with the name of the file that's an even worse thing to do. First, not all characters in a filename should go into a table name. Second, you can get litearlly anything as a filename, even things that are not actual filenames.
It is possible to forge a HTTP request so that the filename is an arbitrary string of your liking, for example:
a (); SELECT * FROM accounts; --
When you put this string into your query:
CREATE TABLE $filename (id int PRIMARY KEY, whatever varchar(20) NOT NULL);
You get this resulting SQL query:
CREATE TABLE a (); SELECT * FROM accounts; -- (id int PRIMARY KEY, whatever varchar(20) NOT NULL);
As you can see, this will create a table a without any columns and then select all usernames and passwords, if the table accounts exists. The rest of the query is commented out with --.
This is a very simple SQL injection attack and you don't want to do this! Don't put userinput straight up into your SQL queries!!
EDIT: taking the value from $_POST
If your field has the name link then you can access it with
$_POST['link']
You can put this into your string this way:
$sql = "SELECT txt FROM {$_POST['link']} WHERE id = 1";