ansaurus

Question

Large Forms = Large PHP/mySql Query Strings... Is There a Good Solution?

Answer 1

A:

Yes it seems to be how it should be for the most part, however, you can save your life to a great extent by doing this:

Instead of writing:

$orgName = $_POST['orgName'];
$impact = $_POST['impact'];
$headline = $_POST['headline'];
$content = $_POST['content'];
$subContent = $_POST['subContent'];
$meterText = $_POST['meterText'];
$month = $_POST['month'];
$shopLink = $_POST['shopLink'];
$blurbTitle = $_POST['blurbTitle'];
$blurb = $_POST['blurb'];
$logoURL = $_POST['logoURL'];
$buttonURL = $_POST['buttonURL'];
$blurbURL = $_POST['blurbURL'];
$POMURL = $_POST['POMURL'];
$horizontalURL = $_POST['horizontalURL'];
$statURL = $_POST['statURL'];
$stats = $_POST['stats'];

You could simply write this line:

extract($_POST, EXTR_SKIP);

And now you have all the same variables available like what you did with so many lines above, for example, now you can use them or echo them:

echo $orgName;
echo $impact;
echo $headline;

To Add: I am not sure whether using extract is good practice in terms of security, however, i have been using this without any problems so far :)

Sarfraz 2010-02-11 03:35:58

By default `extract` will overwrite existing variables. At the very least call it like this `extract($a, EXTR_SKIP)` to prevent an attacker from foobaring your existing code.

pygorex1 2010-02-11 03:50:14

@pygorex - right on, imagine if there was a variable $isAdmin or something, and someone POSTed "isAdmin" with a value of "true"... Anyway, this doesn't really help the OP because the values still are not sanitized.

John Rasch 2010-02-11 03:58:27

Thanks guys i have fixed this , please consider again. thanks....

Sarfraz 2010-02-11 04:01:03

love the extract function. Will be happy to be using that in the near future.

Jascha 2010-02-11 04:49:42

@Jascha: thanks for your complement :)

Sarfraz 2010-02-11 04:54:05

Answer 2

+1 A:

do a foreach to run all over the params array, so you can check the value. Do some magic inside the final function so you can check if any of them is empty or something...

Alfabravo 2010-02-11 03:36:22

hmm, i could not get this, is he trying to remove empty fields?

Sarfraz 2010-02-11 03:41:43

he is looking for a better way of doing this or probably shorten the code and get some speed :) thanks

Sarfraz 2010-02-11 03:42:16

Answer 3

+3 A:

Option #1

Use an ORM like Doctrine to handle CRUD in your PHP apps.

Option #2

If using an ORM is too big of a paradigm shift try something like this:

// Alias $_POST fields to SQL columns
$sql_columns= array(
    'post_field1'=> 'sql_column1',
    'post_field2'=> 'sql_column2',
    'post_field3'=> 'sql_column3');

// Encode $_POST data for use in SQL
$sql_a= array();
foreach ($sql_columns as $k=> $k2) {
 if (isset($_POST[$k])) {
  $sql_a[]= sprintf("`%s` = '%s'", $k2, mysql_real_escape_string($_POST[$k]));
 }
}

// Build SQL string to execute
$sql= sprintf('INSERT INTO table_name SET %s', implode(', ', $sql_a));
var_dump($sql);

This can easily be extended into a function or a class to handle different tables, columns and SQL statements.

pygorex1 2010-02-11 03:47:14

man, now I gotta look up what the hell sprintf is. I looked at the ORM Doctrine. I'm just finally feeling comfortable with writing PHP classes. I'm down to go there, but I'd say I'm at least six months from adding ORM to my pallet. And, if I'm not mistaken, it looks as though it's something I'd need installed? I rent server space from Hostgator, I'm lucky I get phpMyAdmin. (Actually, they haven't been bad to me). Thank you for your response. I'm sure once I understand it, I'll be happy about it ;)

Jascha 2010-02-11 04:43:44

Answer 4

+1 A:

If you have 16 columns in your table, you're going to have a long insert statement.

You should use one of the database wrapper classes (like PDO). Firstly, it gives you a convenient way use prepared statements (avoiding SQL injection, and adding type checking). Secondly, it makes adding parameters more readable, since you don't have to concatenate one huge string.

function insert_stuff($col1, $col2, $col3) {
    $conn = new PDO($connectionString);
    $query = "insert into my_table (col1, col2, col3) values (:col1, :col2, :col3)";
    $statement = $conn->prepare($query);

    $statement->bindValue(":col1", $col1);
    $statement->bindValue(":col2", $col2);
    $statement->bindValue(":col3", $col3);

    $statement->execute();
    // etc. 
}

If you're really bothered by all the typing, you can use your database to generate some of the code for you:

select 
    concat('$statement->bindValue(":', column_name, '", $', column_name, ');' 
from
    information_schema.columns
where
    table_schema = 'my_database_name'
and table_name = 'my_table_name';

Seth 2010-02-11 03:48:07

Answer 5

A:

Something like this would work:

$insertArray() = array();
foreach ($_POST as $key=> $name)
{
    $insertArray[$name] = mysql_real_escape_string($_POST[$name]);
}
$query = "INSERT INTO `hupcap_FCE`.`fce_partners` (" . implode(',', array_keys($insertArray)) VALUES '" . implode("','", $insertArray) . "'";

//...

THIS IS NOT SECURE BUT IT WOULD WORK :)

gimpe 2010-02-11 03:48:51

ansaurus

tags:

views:

answers:

Large Forms = Large PHP/mySql Query Strings... Is There a Good Solution?

related questions