Go Back   SitePoint Forums > Forum Index > Program Your Site > PHP
Reload this Page Best way to insert NULL into db
Newsletter FAQ Members List Calendar Mark Forums Read

New to SitePoint Forums? Register here for free!

SitePoint Sponsor
 
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old Sep 14, 2009, 15:15   #12
Cups
SitePoint Wizard
 
Cups's Avatar
 
Join Date: Oct 2006
Posts: 4,201
OK.

1. Call your form elements the same name as the database columns, its less confusing, not doing so does not protect your database in any way, and it opens up the way to think of your code as arrays.

2. Have an array of elements you expect to find coming from your form

3. Create the start and end of the sql query

4. Loop through the elements, check they are permitted, check they are valid, if so add then to a string, and add between the start and end of the sql query.

This is a simplified version with just 2 elements.
PHP Code:

// 1

<form method=post action="">
<input type=hidden id="id" value=27>
<input id=keyword_one value="soup" />
<input id=url_one value="www.soup.com" />
<input type =submit></form>

<?php

// 2

$permitted = array(
  'keyword_one'
, 'url_one'
);

$_POST = array_map( "trim" ,  $_POST ) ;

if( isset( $_POST['id'] ) ) {

// 3

$sql_start = "update food set " ;
$sql_end = "where id = " . (int)$_POST['id']  ;
$sql _middle = "" ;

// 4

foreach( $_POST as $key=>$value ) {

// LOOK at the values if you are not sure, uncomment here
// echo $key . "=" . $value . PHP_EOL ;

   if( in_array( $key, $permitted ) && !empty( $value ) ) { // one security check 
 
         $sql_middle .= " $key = '" . mysql_real_escape_string( $value) . "'," ;

   }

}


// you have to chop off the , from the last element
$sql_middle = rtrim($sql_middle , "," )  ;

// you could test that $sql_middle is != ""

// then stick the bits back together, echo them out

echo $sql_start . $sql_middle . $sql_end ;

// copy and paste the outcome into PhpMyAdmin to 
// test it actually is well formed, and that you have 
// data in your database which permits the query to go ahead

}
That is untested by the way.

There are other things to be done, and I left it verbose so you can hopefully see what is going on and see what else has to be done like check there is more than just "id" set in the POST vars but this should give you an idea of how to build up the query string.

The key is to marry var names to column names, and start to think about your code as arrays as spelt out by this guy in loops are good
Cups is offline   Reply With Quote
 

Bookmarks

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Threaded Mode Threaded Mode

 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Sponsored Links
 
Forum Jump


All times are GMT -7. The time now is 00:10.


Powered by vBulletin® Version 3.7.1
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Copyright 1998-2009, SitePoint Pty Ltd. All Rights Reserved