开发者

i have array variable for textboxes how can i use $_POST correctly?

Registration

<?php
session_start();
$connection=Mysql_connect('localhost','admin','123');
Mysql_select_db('db',$connection);
if(array_key_exists('insert',$_POST))
{
$qu开发者_开发问答ery="select * from pharmacy";
$result=mysql_query($query);
if (!$result)
{
print(mysql_errno() .":". mysql_error());
}
$num=Mysql_num_rows($result);
$num1=Mysql_num_fields($result);
    if($num>0)
    {
    echo "<table border=2>";
    for($i=0;$i<$num;$i++)
    {
    $row=mysql_fetch_row($result);
    echo "<tr>";
    echo"<td><input type='Checkbox' name='p[$i]'  value='on' unchecked /></td>";
    echo"<td>$row[0]</td>";
    echo"<td><input type='txt' name='q[$i]' /></td>";
    $r[$i]=$row[0];
    if(isset($_POST['q']))
    $q[$i]=$_POST['q'];
    echo"</tr>";
    }//for
    echo"</table>";
    }
    if(isset($_POST['p']))
    foreach($_POST['p'] as $key=>$value)
        {
        if($value=="on")
        {
       $u=$_SESSION['t'];

       $query8="insert into $u(name,qun)values('$r[$key]',$q[$key])";
      echo $query8;
       $result8 = mysql_query($query8);
    //header("Location: show.php?");
    }
    echo $q[0];
       }//for

    }
?>
<input type="submit" name='insert' value="insert Drugs"/>
</form>
</body>

i have a table that has rows i insert the chosen ones in another table in mysql but when i want to insert the content of texts i have problem my problem is here:if(isset($_POST['q'])) $q[$i]=$_POST['q']; it can't be set how can i correct it?


This code:

i have array variable for textboxes how can i use $_POST correctly?

coding horror

$query8="insert into $u(name,qun)values('$r[$key]',$q[$key])";

Is an injection nightmare!

There is so much wrong with this code from a security point of view:

  1. Always use $var = mysql_real_escape_string($_POST['var'');
  2. Always surround your $vars used for values in a query with ' single quotes.
  3. If you use dynamic database, table or fieldnames mysql_real_escape_string will not work nor will any other escape function.
  4. You will need to check all table names and field names against a list of pre-approved table and field names.
  5. If you must use dynamic field and/or column names, escape them with ```; this is not for security but to prevent syntax errors in your query when using reserved words or numbers as column/table names.

See this question for more details: How to prevent SQL injection with dynamic tablenames?


You really should separate the form handling code from the form generation code. Such a hideous mix is hard to debug.

<?php

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    if (isset($_POST['p']) && is_array($_POST['p'])) {
        foreach($_POST['p'] as $key => $val) {
           ... do db stuff ...
        }
    }
}

... generate form here ...


$_POST['q'] is an array, so your $query8 will fail as you use:

$q[$i]=$_POST['q'];

All values of $q are arrays and you can´t insert an array in a database like this:

$query8="insert into $u(name,qun)values('$r[$key]',$q[$key])";

You probably need something like:

$q[$i]=$_POST['q'][$i];

Edit: By the way, you always need to prepare your data for use in a database. I prefer prepared statements / PDO but if you use regular mysql you need to escape your variables before you insert them using something like mysql_real_escape_string.

Edit 2: In case of variable table or column names, always check them against a white-list.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜