ansaurus

Question

PHP - foreach how to store the array to mysql

Answer 1

+4 A:

item_row = implode(',', $_SESSION['order']['item-name']);
qty_row = implode(',', $_SESSION['order']['item-qty']);
total_row = implode(',', $_SESSION['order']['item-price']);

Alix Axel 2009-12-17 18:20:12

thanks axel for the implode ;)

bob 2009-12-17 18:47:02

no problem bob :)

Alix Axel 2009-12-17 19:42:52

Answer 2

A:

foreach ($_SESSION['order'] as $values) {

 mysql_query('INSERT INTO tablename (name, qty, price) VALUES("'.$values['item-name'].'", "'.$values['item-qty'].'", "'.$values['item-price'].'"');
}

antpaw 2009-12-17 18:21:42

This post is an answer to the question "How do I open myself to SQL injections?"

mluebke 2009-12-17 18:35:23

To be fair, the session is server-side and its contents could have already been sanitized :P Though prepared statements are always best.

Lucas Oman 2009-12-17 18:45:28

@Lucas... you ALWAYS sanitize you data, nothing is ever safe, including data from the database itself. By assuming some piece of data is safe because it didn't come directly from user input is a sure way to get SQL injected from a more complex method.

TravisO 2009-12-17 20:09:20

Answer 3

A:

Hi bob!!

I'm using a class to manage the connection to the data base and the query execution let me add it to you:

class DbConnection
{
var $ReturnQuery;
function Connect()
{
 $connection = mysql_connect("serverName", "user", "password");
 $DbSelect = mysql_select_db("databaseName", $connection);
 if ($DbSelect)
  return true;
 else
  return false;
}
function Execute($Query)
{
 $ExecuteQuery = mysql_query($Query);
 $affected = mysql_affected_rows();
 if ($affected != -1)
 {
  if ($affected != 0)
  {
      if ($ExecuteQuery != 1)
      {
          while($row=mysql_fetch_assoc($ExecuteQuery))
       {
        $ResulArray[] = $row;
       }
       $this->ReturnQuery = $ResulArray;
      }
   return 1;
  }
  else
  {
      $this->ReturnQuery = '';
      return 0;

  }
 }
 else
 {
     $this->ReturnQuery = '';
  return -1;
 }
}

}

and then you can create instances to execute your query:

require_once('Includes/DbConnection.php');
 $this->db = new DbConnection();
 $this->db->Connect();

$query = "insert into items (item_name, item_qty, item_price) values ('".$item_name."', '".$item_qty."', '"$item_price"');

$query_safe = mysql_real_escape_string($query);
$this->db->Execute($query_safe);

I hope it helps!!

Regards from Guadalajara Mexico!!

Alejandra Gonzalez 2009-12-17 18:28:53

Hi Alejandra. Your code looks neat. However, security best practice for SQL use in PHP is to use PDO and prepared statements. Have a look at this page: http://www.owasp.org/index.php/PHP_Top_5#P3:_SQL_Injection

Matt Ellen 2009-12-17 18:34:45

Thank you very much for the info!! :)

Alejandra Gonzalez 2009-12-17 18:46:29

ansaurus

tags:

views:

answers:

PHP - foreach how to store the array to mysql

related questions