Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Aug 2014
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Create "INSERT" sql query with $_GET variables from array

    I'm getting the following elements in input with the method GET
    Ex: $_GET['val1'], $_GET['val2'], $_GET['val3'], $_GET['val4'], $_GET['val5']

    Then I execute this sql query:
    PHP Code:
    $sql="INSERT INTO Foo (val1, val2, val3, val4, val5)
            VALUES
    (
    $_GET['val1'], $_GET['val2'], $_GET['val3'], $_GET['val4'], $_GET['val5'])"
    Since I often need to add/remove elements I wanted to make it easier to manage
    and I come up with this code. However I have a problem defining INPUT. Can you
    guys help me out

    This is the code I made:
    PHP Code:
    $array = array(
        
    "val1",
        
    "val2",
        
    "val3",
        
    "val4",
        
    "val5"
    );

    define("LIST"implode(", "$array));
    define("INPUT""'$_GET[" . implode("]','$_GET[", $array)) . "]'";

    $sql="INSERT INTO Foo (". LIST .")
            VALUES
    (". INPUT .")"; 
    The problem is when I define INPUT.

    P.S.
    I know that I should use mysqli because myslq is outdated however I have my good reasons to not update, so please, don't bother me with that

  2. #2
    New to the CF scene
    Join Date
    Jul 2014
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    your code is insecure and using get is a bad idea in ur form have u set the method to GET or POST?

  3. #3
    Master Coder sunfighter's Avatar
    Join Date
    Jan 2011
    Location
    Washington
    Posts
    6,094
    Thanks
    30
    Thanked 837 Times in 835 Posts
    Some day loony will learn how to write English, but he/she is correct
    your code is insecure and using get is a bad idea......
    In addition LIST or LIST() is a reserved word and maybe throwing your error.
    I guess it's personal taste to use "define()" to set a simple variable. $var = implode(", ", $array); is easier and readily understood by most all coders.

    Your original query was so much better and easier to understand and manage.

    A question to you. Are you attempting this because you do not always send 5 variables to update?
    Evolution - The non-random survival of random variants.
    Physics is actually atoms trying to understand themselves.

  4. #4
    New Coder
    Join Date
    Jul 2014
    Location
    Athens, Greece
    Posts
    38
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It's very unsecured....Except, changing $_GET to $_POST, you have to protect your data from mysql injections.
    e.g.
    ///after connected to db
    $val1=$_GET['val1'];
    $val1=mysql_real_escape_string($val1);

    /////run your query.....


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •