Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Aug 2014
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Create "INSERT" sql query with $_GET variables from array

    I'm getting the following elements in input with the method GET
    Ex: $_GET['val1'], $_GET['val2'], $_GET['val3'], $_GET['val4'], $_GET['val5']

    Then I execute this sql query:
    PHP Code:
    $sql="INSERT INTO Foo (val1, val2, val3, val4, val5)
            VALUES
    ($_GET['val1'], $_GET['val2'], $_GET['val3'], $_GET['val4'], $_GET['val5'])"

    Since I often need to add/remove elements I wanted to make it easier to manage
    and I come up with this code. However I have a problem defining INPUT. Can you
    guys help me out

    This is the code I made:
    PHP Code:
    $array = array(
        
    "val1",
        
    "val2",
        
    "val3",
        
    "val4",
        
    "val5"
    );

    define("LIST"implode(", "$array));
    define("INPUT""'$_GET[" . implode("]','$_GET[", $array)) . "]";

    $sql=
    "INSERT INTO Foo (". LIST .")
            VALUES
    (". INPUT .")"

    The problem is when I define INPUT.

    P.S.
    I know that I should use mysqli because myslq is outdated however I have my good reasons to not update, so please, don't bother me with that

  • #2
    New to the CF scene
    Join Date
    Jul 2014
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    your code is insecure and using get is a bad idea in ur form have u set the method to GET or POST?

  • #3
    Senior Coder
    Join Date
    Jan 2011
    Location
    Missouri
    Posts
    4,694
    Thanks
    25
    Thanked 657 Times in 656 Posts
    Some day loony will learn how to write English, but he/she is correct
    your code is insecure and using get is a bad idea......
    In addition LIST or LIST() is a reserved word and maybe throwing your error.
    I guess it's personal taste to use "define()" to set a simple variable. $var = implode(", ", $array); is easier and readily understood by most all coders.

    Your original query was so much better and easier to understand and manage.

    A question to you. Are you attempting this because you do not always send 5 variables to update?
    Evolution - The non-random survival of random variants.

    "If you leave hydrogen alone, for long enough, it begins to think about itself."

  • #4
    New Coder
    Join Date
    Jul 2014
    Location
    Athens, Greece
    Posts
    38
    Thanks
    0
    Thanked 0 Times in 0 Posts
    It's very unsecured....Except, changing $_GET to $_POST, you have to protect your data from mysql injections.
    e.g.
    ///after connected to db
    $val1=$_GET['val1'];
    $val1=mysql_real_escape_string($val1);

    /////run your query.....


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •