...

View Full Version : PHP $_POST in MYSQL Query



Atrhick
01-16-2012, 07:38 PM
Here's the deal, I'm trying to insert all of my $_POST data from a form into a MySQL query. normally i would do something like this



$var_name = $_POST[my_var_name]


but i cant do that this time around because all of the names of the input fields are being generated dynamically. so they are updated and changed often. is there any solution to this?

tangoforce
01-16-2012, 09:04 PM
IF you want to store the raw form data as an array you could run it through serialize() and store the output.

If however you want tp pull out the data and store it in each column then you need to find a way to identify each field from the random field names and without showing us how you're generating those field names and keeping track of them, there isn't much else we can say.

myfayt
01-16-2012, 09:40 PM
Generated dynamically? can you explain more? PHP is a very powerful language and can do most anything you want. Once we understand what you need done, we can help you do it. :thumbsup:

tangoforce
01-16-2012, 09:58 PM
Generated dynamically?

I use a similar technique myself on forms. It's an anti-bot measure. Many of the basic bots will no recognise the name changes and therefore their submissions will automatically be filtered out but the better bots recognise it and just go with those names.

There is more on the technique here (http://mrarrowhead.com/index.php?page=stop_form_spam_captcha.php#rscript).

djh101
01-17-2012, 07:17 AM
Method 1: Array items (such as $_POST variables) can be called inside quotation marks, however, the single quotes are omitted from their name.

mysql_query("SELECT * FROM somewhere WHERE author='$_POST[author]'");

Method 2: Instead of putting the variable inside the quotes, end the quotes and append the post variable unquoted where you need it. This is what you have to do anyway for all variables if you are not using single quotes (variables aren't recognized as variables inside single quotes). This method is more complicated but makes variables more apparent in code and, again, is required if you use single quotes.

mysql_query("SELECT * FROM somewhere WHERE author='".$_POST['author']."'");

BluePanther
01-17-2012, 07:35 AM
Method 1: Array items (such as $_POST variables) can be called inside quotation marks, however, the single quotes are omitted from their name.

mysql_query("SELECT * FROM somewhere WHERE author=$_POST[author]");

Method 2: Instead of putting the variable inside the quotes, end the quotes and append the post variable unquoted where you need it. This is what you have to do anyway for all variables if you are not using single quotes (variables aren't recognized as variables inside single quotes). This method is more complicated but makes variables more apparent in code and, again, is required if you use single quotes.

mysql_query("SELECT * FROM somewhere WHERE author='".$_POST['author']."'");

Not good practise. You should always, at least, escape POST and GET (or any other user provided information) with mysql_real_escape_string() to avoid SQL injection.

Also, it wasn't really what the op was asking for ;)

djh101
01-17-2012, 08:36 AM
Well that was more of an example on the concept, not intended to be used as it is. But yeah, most of my user inputted data I have preg_replaced- I completely forgot about mysql_real_escape_string;).

Anyway, there's not really much of a question in the first post, which only leaves you to assume...

tangoforce
01-17-2012, 12:19 PM
Method 1: Array items (such as $_POST variables) can be called inside quotation marks, however, the single quotes are omitted from their name.

mysql_query("SELECT * FROM somewhere WHERE author=$_POST[author]");


No, no, no... ANY string must still be inside single quotes in an SQL string:



$Author = mysql_real_escape_string($_POST[author]);
mysql_query("SELECT * FROM somewhere WHERE author='$Author'");


Only integers can be treated your way without single quotes.


Anyway, there's not really much of a question in the first post, which only leaves you to assume...

Erm, yes there is. The op is asking about how to handle form fields with dynamically generated names and how to somehow get the data and save it.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum