current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite

Hullo :)

I have a multidimensional array that looks like this:

$things = array( 
  array('one'=>'red', 'two'=>'$85' , 'three'=>1),
  array('one'=>'green', 'two'=>'$35' , 'three'=>0),
  array('one'=>'blue', 'two'=>'$32' , 'three'=>0),
);

Various things are done with this array on my PHP page, including making a form with fields of names/IDs red, green and blue, like this:

<form>
  <?php foreach ($things as $row) { 
    echo '<input type="hidden" name="' . $row['one'] . '" id="' . $row['one'] . '" value="0" />'; 
  } ?>
  <input type="submit" />
</form>

When the form is submitted, I want to put the $_REQUEST into a MySQL table with columns named after the field values, and this is where I'm having difficulty. This is my query:

INSERT INTO table_name (name, email, $fields_list) 
VALUES ('$name', '$email', '$values_list')

"$fields_list" is just a comma-separated list of the field names (red, green, blue). "$values_list" is supposed to be a list of the $_REQUEST values and is constructed like this from "$colours":

$values_list = implode('\', \'', array_map(function ($entry) {
  return $entry;
}, $colours));

What's in "$colours" is the issue. When I do this, it works:

$colours = array($_REQUEST["red"], $_REQUEST["green"], $_REQUEST["blue"]);

But I don't want to explicitly re-state the values in the array, as this is likely to change over time. I want to just have the array defined at the top of the page, and then have the rest of the functions work from that. So, I tried this, but it doesn't work:

$colour_list = implode(', ', array_map(function ($entry) {
  return '$_REQUEST["'.$entry['one'].'"]';
}, $things));

$colours = array($colour_list);

If I var_dump this version of $colours, it's identical to the explicitly-stated version above.

Why doesn't it work? How can I make it work? Am I going about this the wrong way?

I think it has something to do with what order things are processed in - the PHP versus the REQUEST. I also think I am over-processing my arrays/variables, I have a feeling I can skip a step somewhere but am confused and can't work out where. Please help!

Thanks very much :)

share|improve this question
    
Would $_REQUEST["red"] contain any value or you need to get from that array ? –  Samosa Jul 27 at 23:51

1 Answer 1

up vote 0 down vote accepted

I am not sure but I think what you want is dynamically generate the insert query.

Here would be my solution :-

function insert_query($data){

            if(is_array($data)){
                foreach($data as $key=>$value){
                    $fields[] = '`'.$key.'`';
                    if(is_numeric($value)){
                       if(substr($value, 0, 1)==0)//checking for leading zero
                       {
                        $values[] = "'".$value."'"; 
                       }else{

                        $values[] = $value;
                       } 
                    }else{
                        $values[] = "'".mysqli_real_escape_string($value)."'";  
                    }
                }
            return "(".implode(",",$fields).") VALUES(".implode(",",$values).")";       
            }
}




$_insert = $_REQUEST; //Security wise would not be a good idea

$_insert['name'] = $name;
$_insert['email'] = $email;

$query = "INSERT INTO table_name ".insert_query($_insert);
share|improve this answer
    
You know, I'm not sure why it hadn't occurred to me that I could use the $_REQUEST array without specifying values, that might solve my problem... let me have a play. Thanks. –  zenkaty Jul 28 at 0:01
    
if you are gonna use $_REQUEST as is, then may I suggest renaming your input as name="things[' . $row['one'] . ']". This way you can access $_REQUEST['things'] without other params interfering. –  Samosa Jul 28 at 0:04
    
Good idea, I'll try that now. –  zenkaty Jul 28 at 0:08
    
Fantastic that worked! Thanks very much for your help :) If I can ask one more thing, you mention using the $_REQUEST directly is not secure - if I add mysql_real_escape_string() around the request values, is that enough? –  zenkaty Jul 28 at 0:14
    
The reason I saw it isn't secure is let say you have a column called bank_credit and if you are using the $_REQUEST array "as is" then bad guy can just send a request $_REQUEST['bank_credit'] then it would added to db blindly. So the solution is to have a list of "expected" keys and only process those. –  Samosa Jul 28 at 0:43

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.