mysql insert Notice: Array to string conversion

Question

$count = count(array_filter($_POST["materials"]));  
for($I = 0; $I < $count; $i++)  
{ 
    $insert = mysqli_query($con, "INSERT INTO table1 (uid, materials, num, cost)
            VALUES
            (
            '$_POST[uid]',
            '$_POST[material][$i]',
            '$_POST[num][$i]',
            '$_POST[cost][$i]',
            )");        
}

If I use echo $_post[materials][$i] it's giving me right result but in database it is inserting something like array[0].

Seems my $insert is not right. But I don't have any idea to insert it. Any ideas on how to do it?

`echo` your query to see the exact raw mysql query with variables substituted. — zerkms, Jul 16 '13 at 02:20
there are 3 forms materials, num, cost. each of them multiplied 5 times. — moogii enhtsogt, Jul 16 '13 at 02:30
One advice (may be you're following it): **Please sanitize and validate your input before inserting into the database**. — Vivek Jain, Jul 16 '13 at 02:56
Try changing `$_POST[material][$i]` to `$_POST['materials'][$i]` — bystwn22, Jul 16 '13 at 03:08
**You are leaving yourself wide open to SQL injection.** Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started. — Andy Lester, Jul 16 '13 at 03:12

score 0 · Answer 1 · answered Jul 16 '13 at 02:28

0

Array to string: implode(',', $_POST[material][$i])

answered Jul 16 '13 at 02:28

Allen Chak

1,802
1
10
21

where should i put it? sorry im new in php – moogii enhtsogt Jul 16 '13 at 02:34

score 0 · Answer 2 · edited Jul 16 '13 at 03:04

0

$sql_template = "INSERT INTO table1 (uid, materials, num, cost)
        VALUES(%d, %s, %s, %s)")";

$insert = mysqli_query($con, "INSERT INTO table1 (uid, materials, num, cost) = 
sprintf($sql_template, $_POST[uid], $_POST[material][$i], $_POST[num][$i], $_POST[cost][$i]);

mysqli_query($con,$insert);

For sprintf more details visit this link for data type and etc.

edited Jul 16 '13 at 03:04

Vivek Jain

3,811
6
30
47

answered Jul 16 '13 at 02:38

krishna singh

1,023
1
11
15

score -1 · Accepted Answer · edited May 23 '17 at 12:23

You can (and have to) use a pair of curly braces around the expressions, and also quote the array keys:

$insert = mysqli_query($con, "INSERT INTO table1 (uid, materials, num, cost)
            VALUES
            (
            '{$_POST['uid']}',
            '{$_POST['material'][$i]}',
            '{$_POST['num'][$i]}',
            '{$_POST['cost'][$i]}',
            )");

See php.net > Strings

It's because PHP's variable parsing in strings is limited to single-dimension array. For two or more dimensions you need to use the curly braces to indicate PHP the end of the variable. Same applies to accessing arrays with a string key.

You also need to quote the string array keys because they are actual strings, which you should always quote them properly

Also note that the code is fine if it is not production code. However you should be aware that your code opens a big security vulnerability called SQL Injection. If this is more serious work, you should refer to the link and fix the security vulnerability.

if i use curly braces i got another notice `Notice: Use of undefined constant` — moogii enhtsogt, Jul 16 '13 at 02:55
@moogiienhtsogt there was another error in your original code. Pointed it out in the edited answer. — Alvin Wong, Jul 16 '13 at 02:58

mysql insert Notice: Array to string conversion

3 Answers3