Rectangle 27 0

insert all $_POST data into mysql using PHP?


function i($table, $array) {
  $query = "INSERT INTO ".$table;
  $fis = array(); 
  $vas = array();
  foreach($array as $field=>$val) {
    $fis[] = "`$field`"; //you must verify keys of array outside of function;
                         //unknown keys will cause mysql errors;
                         //there is also sql injection risc;
    $vas[] = "'".mysql_real_escape_string($val)."'";
  }
  $query .= " (".implode(", ", $fis).") VALUES (".implode(", ", $vas).")";
  if (mysql_query($query))
    return mysql_insert_id();
  else return false;
}
Note
Rectangle 27 0

insert all $_POST data into mysql using PHP?


function incomingdump($array){
    $tablename="incomingdump";

    $currentID = generateID($tablename);

    $query = "INSERT INTO $tablename (ID) VALUES('$currentID');";  
    sendquery($query);
      foreach($array AS $key => $value){

        $query = "ALTER TABLE $tablename ADD `$key` VARCHAR(".strlen($value).");";  
        sendquery($query);
        $query = "ALTER TABLE $tablename MODIFY `$key`VARCHAR(".strlen($value).");";  
        sendquery($query);
        $query = "UPDATE $tablename SET `$key` = '$value' WHERE ID=$currentID";
        sendquery($query);
      }


}
function generateID($tablename){
    $query = "SELECT count(*) FROM $tablename"; 
    $result = sendquery($query);
    $row = mysql_fetch_row($result);
    return $row[0] + 1;

}
incomingdump($_POST);

sendquery() is just a wrapper for executing a sql statement. Its called like so:

Note
Rectangle 27 0

insert all $_POST data into mysql using PHP?


$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "INSERT INTO $table SET ".dbSet($fields);
$result = mysql_query($query) or trigger_error(mysql_error().$query);
$id     = intval($_POST['id']);
$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "UPDATE $table SET ".dbSet($fields)." WHERE id=$id";
$result = mysql_query($query) or trigger_error(mysql_error().$query);
function dbSet($fields, $data = array()) {
  if (!$data) $data = &$_POST;
  $set='';
  foreach ($fields as $field) {
    if (isset($data[$field])) {
      $set.="`$field`='".mysql_real_escape_string($data[$field])."', ";
    }
  }
  return substr($set, 0, -2); 
}

@Col oh okay, I guess I have a lot to learn about DB security then. Thanks a lot for the help, and sorry I took your comments the WRONG way ;)

@SkyWookie this automated approach will lead you to get hacked pretty soon. The only purpose to do it manually is to take full control over query. Post data souldn't be used for the db field names. Despite of possibility to get field names from the database, it's considered bad practice too: some fields shouldn't be allowed to edit etc. Adding just one word to the field list seems a good compromise to me.

Even if you didn't mean any arrogance, your general demeanor to someone who is learning PHP is ridiculous. No decent teacher or helper would scream out WRONG every time they saw something that wasn't right or to their liking. "Sorry, pal" didn't help either.

So, in your case you have to add just a single word to the field list

Sorry pal, but you have almost everything wrong.

The only sensible point in your question is how to make query building ease. Here is the function I am using:

You can still point out it's wrong without directly saying "TERRIBLE WRONG" or "WRONG." Doing things like that basically shattered any confidence I had. Even so though, I guess I'm just misinterpreting your help, and for that I apologize. I just can't believe that every time I need to add a form field that I'll have to do it manually; I figured there'd be a better way to do it.

this will return you a SET statement, restricted to the previously defined set of fields. Usage

Note
Rectangle 27 0

insert all $_POST data into mysql using PHP?


Don't create a single field for all you data... it negates the entire value in having a database. You lose all the flexibility to search on specific fields (e.g. all records where hours worked is more than 25, or where date of service was 26th July 2010) You could easily write a function that built the insert statement from an array of values similar to the one Riateche has provided.

It could be improved by switching to mysqli and using bind variables.

Note
Rectangle 27 0

insert all $_POST data into mysql using PHP?


Don't create a single field for all you data... it negates the entire value in having a database. You lose all the flexibility to search on specific fields (e.g. all records where hours worked is more than 25, or where date of service was 26th July 2010) You could easily write a function that built the insert statement from an array of values similar to the one Riateche has provided.

It could be improved by switching to mysqli and using bind variables.

Note
Rectangle 27 0

insert all $_POST data into mysql using PHP?


$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "INSERT INTO $table SET ".dbSet($fields);
$result = mysql_query($query) or trigger_error(mysql_error().$query);
$id     = intval($_POST['id']);
$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "UPDATE $table SET ".dbSet($fields)." WHERE id=$id";
$result = mysql_query($query) or trigger_error(mysql_error().$query);
function dbSet($fields, $data = array()) {
  if (!$data) $data = &$_POST;
  $set='';
  foreach ($fields as $field) {
    if (isset($data[$field])) {
      $set.="`$field`='".mysql_real_escape_string($data[$field])."', ";
    }
  }
  return substr($set, 0, -2); 
}

@Col oh okay, I guess I have a lot to learn about DB security then. Thanks a lot for the help, and sorry I took your comments the WRONG way ;)

@SkyWookie this automated approach will lead you to get hacked pretty soon. The only purpose to do it manually is to take full control over query. Post data souldn't be used for the db field names. Despite of possibility to get field names from the database, it's considered bad practice too: some fields shouldn't be allowed to edit etc. Adding just one word to the field list seems a good compromise to me.

Even if you didn't mean any arrogance, your general demeanor to someone who is learning PHP is ridiculous. No decent teacher or helper would scream out WRONG every time they saw something that wasn't right or to their liking. "Sorry, pal" didn't help either.

So, in your case you have to add just a single word to the field list

Sorry pal, but you have almost everything wrong.

The only sensible point in your question is how to make query building ease. Here is the function I am using:

You can still point out it's wrong without directly saying "TERRIBLE WRONG" or "WRONG." Doing things like that basically shattered any confidence I had. Even so though, I guess I'm just misinterpreting your help, and for that I apologize. I just can't believe that every time I need to add a form field that I'll have to do it manually; I figured there'd be a better way to do it.

this will return you a SET statement, restricted to the previously defined set of fields. Usage

Note
Rectangle 27 0

insert all $_POST data into mysql using PHP?


function i($table, $array) {
  $query = "INSERT INTO ".$table;
  $fis = array(); 
  $vas = array();
  foreach($array as $field=>$val) {
    $fis[] = "`$field`"; //you must verify keys of array outside of function;
                         //unknown keys will cause mysql errors;
                         //there is also sql injection risc;
    $vas[] = "'".mysql_real_escape_string($val)."'";
  }
  $query .= " (".implode(", ", $fis).") VALUES (".implode(", ", $vas).")";
  if (mysql_query($query))
    return mysql_insert_id();
  else return false;
}
Note
Rectangle 27 0

insert all $_POST data into mysql using PHP?


function incomingdump($array){
    $tablename="incomingdump";

    $currentID = generateID($tablename);

    $query = "INSERT INTO $tablename (ID) VALUES('$currentID');";  
    sendquery($query);
      foreach($array AS $key => $value){

        $query = "ALTER TABLE $tablename ADD `$key` VARCHAR(".strlen($value).");";  
        sendquery($query);
        $query = "ALTER TABLE $tablename MODIFY `$key`VARCHAR(".strlen($value).");";  
        sendquery($query);
        $query = "UPDATE $tablename SET `$key` = '$value' WHERE ID=$currentID";
        sendquery($query);
      }


}
function generateID($tablename){
    $query = "SELECT count(*) FROM $tablename"; 
    $result = sendquery($query);
    $row = mysql_fetch_row($result);
    return $row[0] + 1;

}
incomingdump($_POST);

sendquery() is just a wrapper for executing a sql statement. Its called like so:

Note
Rectangle 27 0

insert all $_POST data into mysql using PHP?


function incomingdump($array){
    $tablename="incomingdump";

    $currentID = generateID($tablename);

    $query = "INSERT INTO $tablename (ID) VALUES('$currentID');";  
    sendquery($query);
      foreach($array AS $key => $value){

        $query = "ALTER TABLE $tablename ADD `$key` VARCHAR(".strlen($value).");";  
        sendquery($query);
        $query = "ALTER TABLE $tablename MODIFY `$key`VARCHAR(".strlen($value).");";  
        sendquery($query);
        $query = "UPDATE $tablename SET `$key` = '$value' WHERE ID=$currentID";
        sendquery($query);
      }


}
function generateID($tablename){
    $query = "SELECT count(*) FROM $tablename"; 
    $result = sendquery($query);
    $row = mysql_fetch_row($result);
    return $row[0] + 1;

}
incomingdump($_POST);

sendquery() is just a wrapper for executing a sql statement. Its called like so:

Note