i thought edit question comment seems insecure way of doing trying acheive.
what want allow user import .csv file want them able set fields import.
is there way of doing apart way tried demonstrate in original question?
thank daniel
this problem having has been driving me mad weeks now, try me should work fails.
basically have database bunch of fields in.
in 1 of pages have following code
$result = mysql_query("show fields my_database.products"); while ($row = mysql_fetch_array($result)) { $field = $row['field']; if ($field == 'product_id' || $field == 'product_name' || $field == 'product_description' || $field == 'product_slug' || $field == 'product_layout') { } else { echo '<label class="label_small">'.$field.'</label> <input type="text" name="'.$field.'" id="input_text_small" />'; } } this echos list of fields have label of database fields , includes database field in name of text box.
i post results following code
$result = mysql_query("show fields affilifeed_1000.products"); $i = 0; while ($row = mysql_fetch_array($result)) { $field = $row['field']; if ($field == 'product_name' || $field == 'product_description' || $field == 'product_slug' || $field == 'product_layout') { } else { $input_field = $field; $output_field = mysql_real_escape_string($_post[''.$field.'']); } if ($errorcount == 0) { $insert = "insert my_database.products ($input_field) values ('$output_field')"; $result_insert = mysql_query($insert) or die ("<br>error in database<b> ".mysql_error()."</b><br>$result_insert"); } } if ($result_insert) { echo '<div class="notification_success">well done have sucessfully created product, can view clicking here</div>'; } else { echo '<div class="notification_fail">there problem creating product, please try again later...</div>'; } it posts sucessfully problem creates new "row" every insert.
for example in row 1 post first value , rest empty, in row 2 post second value rest empty, row 3 third value , on...
i have tried many many many things working , have researched foreach loop haven't been familiar before, binding variable, imploding, exploding none of them seem trick.
i can kind of understand why doing wrapped in while loop if put outside of inserts last value.
can shed light why happening?
if need more info please let me know.
thank daniel
you're treating each field you're displaying own record inserted. since you're trying create single record multiple fields, need build query dynamically, e.g.
foreach ($_post $key => $value); $fields[] = mysql_real_escape_string($key); $values[] = "'" . msyql_real_escape_string($value) . "'"; } // build arrays of form's field/value pairs $field_str = implode(',', $fields); // turn arrays comma-separated strings $values_str = implode(',', $values); $sql = "insert yourtable ($field_str) values ($value_str);" // insert strings query $result = mysql_query($sql) or die(mysql_error()); which give you
insert youtable (field1, field2, ...) values ('value1', 'value2', ...) note i'm using mysql library here, should avoid it. it's deprecated , obsolete. consider switching pdo or mysqli before build more code totally useless in short order.
on security basis, should not passing field values directly through database. consider case might doing user permissions management system. wouldn't want expose "is_superuser" field, form allow give superuser privileges hacking html form , putting new field saying is_superuser=yes.
this kind of code downright dangerous, , should not using in production system, no matter how sql injection protect build it.
Comments
Post a Comment