i have array variable for textboxes how can i use $_POST correctly?
Registration
<?php
session_start();
$connection=Mysql_connect('localhost','admin','123');
Mysql_select_db('db',$connection);
if(array_key_exists('insert',$_POST))
{
$qu开发者_开发问答ery="select * from pharmacy";
$result=mysql_query($query);
if (!$result)
{
print(mysql_errno() .":". mysql_error());
}
$num=Mysql_num_rows($result);
$num1=Mysql_num_fields($result);
if($num>0)
{
echo "<table border=2>";
for($i=0;$i<$num;$i++)
{
$row=mysql_fetch_row($result);
echo "<tr>";
echo"<td><input type='Checkbox' name='p[$i]' value='on' unchecked /></td>";
echo"<td>$row[0]</td>";
echo"<td><input type='txt' name='q[$i]' /></td>";
$r[$i]=$row[0];
if(isset($_POST['q']))
$q[$i]=$_POST['q'];
echo"</tr>";
}//for
echo"</table>";
}
if(isset($_POST['p']))
foreach($_POST['p'] as $key=>$value)
{
if($value=="on")
{
$u=$_SESSION['t'];
$query8="insert into $u(name,qun)values('$r[$key]',$q[$key])";
echo $query8;
$result8 = mysql_query($query8);
//header("Location: show.php?");
}
echo $q[0];
}//for
}
?>
<input type="submit" name='insert' value="insert Drugs"/>
</form>
</body>
i have a table that has rows i insert the chosen ones in another table in mysql but when i want to insert the content of texts i have problem my problem is here:if(isset($_POST['q'])) $q[$i]=$_POST['q']; it can't be set how can i correct it?
This code:
coding horror$query8="insert into $u(name,qun)values('$r[$key]',$q[$key])";
Is an injection nightmare!
There is so much wrong with this code from a security point of view:
- Always use
$var = mysql_real_escape_string($_POST['var'')
; - Always surround your
$vars
used for values in a query with'
single quotes. - If you use dynamic database, table or fieldnames
mysql_real_escape_string
will not work nor will any other escape function. - You will need to check all table names and field names against a list of pre-approved table and field names.
- If you must use dynamic field and/or column names, escape them with ```; this is not for security but to prevent syntax errors in your query when using reserved words or numbers as column/table names.
See this question for more details: How to prevent SQL injection with dynamic tablenames?
You really should separate the form handling code from the form generation code. Such a hideous mix is hard to debug.
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_POST['p']) && is_array($_POST['p'])) {
foreach($_POST['p'] as $key => $val) {
... do db stuff ...
}
}
}
... generate form here ...
$_POST['q']
is an array, so your $query8
will fail as you use:
$q[$i]=$_POST['q'];
All values of $q
are arrays and you can´t insert an array in a database like this:
$query8="insert into $u(name,qun)values('$r[$key]',$q[$key])";
You probably need something like:
$q[$i]=$_POST['q'][$i];
Edit: By the way, you always need to prepare your data for use in a database. I prefer prepared statements / PDO but if you use regular mysql you need to escape your variables before you insert them using something like mysql_real_escape_string
.
Edit 2: In case of variable table or column names, always check them against a white-list.
精彩评论