0

I have a php file and a sample form which is quite big ( around 60 fields and all optional ) Now What i want to do is get whatever parameters were passed and insert them to the table. I created a sample for 15 fields, but i can't go on and keep doing this for 60 items.

$a1 = $_REQUEST['a1']; 
    $a2= $_REQUEST['a2']; 
    $a3= $_REQUEST['a3']; 
    $a4= $_REQUEST['a4']; 

    $a5= $_REQUEST['a5']; 
    $a6= $_REQUEST['a6']; 
    $a7= $_REQUEST['a7']; 
    $a8= $_REQUEST['a8']; 

    $a9= $_REQUEST['a9']; 
    $a10= $_REQUEST['a10']; 
    $a11 = $_REQUEST['a11']; 
    $a12 = $_REQUEST['a12'];

    $a13 = $_REQUEST['a13']; 
    $a14 = $_REQUEST['a14']; 
    $id = $_REQUEST['id'];

    include 'conn.php'; 
    $sql = "insert into med_history (a1  ,a2   ,a3   ,a4   ,a5   ,a6   ,a7   ,a8   ,a9   ,a10  ,a11  ,a12  ,a13,a14,id) values(
                                    '$a1','$a2','$a3','$a4','$a5','$a6','$a7','$a8','$a9','$a10','$a11','$a12','$a13','$a14','$id')"; 
    @mysql_query($sql); 
    echo "Inserted successfully";

Also with this one the problem is error is recieved if some parameter is not passed. So, how to fix it.

I am not using PDO or mysqli because this is done on testing server and not on actual server. When i migrate to the production server i will make the PDO connection

Harshit Laddha
  • 2,044
  • 8
  • 34
  • 64
  • 1
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 28 '14 at 10:19
  • I know, i was using it to see if my application actually works or not. I will change it to PHP PDO to prevent any attacks – Harshit Laddha Mar 28 '14 at 10:21
  • "I am not using PDO or mysqli because this is done on testing server and not on actual server. When i migrate to the production server i will make the PDO connection" — So you're going to write it, fail to get it to work, ask for help, fix it, then *throw it all away and start again with a different API*, fail to get it to work, ask for help to fix it and then put it into production? – Quentin Mar 28 '14 at 10:21
  • Well, what can i say i am always over cautious about things. But if it works in testing environment, i don't need help to change any API that's just syntax as i will already have the logic – Harshit Laddha Mar 28 '14 at 10:24
  • It isn't just syntax, at least not if you do it properly. – Quentin Mar 28 '14 at 10:29
  • Usually I try to refrain from ranting, but for crying out loud... Just taking anything any client sends and stuff it in something that might or might not resemble an sql query which might or might not make any semantic sense from the whole system's point of view ...that's not just lazy, that's *bleepedybleepbleep*holy*bleep*! `med_history` - oh no, not personal, medical data, is it? *BLEEEP* Sorry, feeling better now. | Define those fields somewhere and build generators that create both the code for output (the html form) and the input (check, sanitizing, encoding, ...). – VolkerK Mar 28 '14 at 10:38
  • 1
    For starters take a look e.g. at http://symfony.com/doc/current/bundles/SensioGeneratorBundle/commands/generate_doctrine_crud.html or somethign similar. – VolkerK Mar 28 '14 at 10:38

2 Answers2

2

I hope this piece of code would help you:

$a = array();
foreach ( $_REQUEST AS $key => $value ) {
    # !!! make some tests on key and value ... e.g.
    if ( preg_match("/^a\d+$/", $key) ) {
        $a[] = ' `'.$key.'` = "'.mysql_real_escape_string($value).'"';
    }
}
if ( count($a) ) {
    $sql = "insert into med_history SET ".implode(', ', $a);
    mysql_query($sql) or exit(mysql_error());
    echo "Inserted successfully";
}
blue
  • 1,939
  • 1
  • 11
  • 8
  • Let say the $_REQUEST have value with keys = 'a1', and 'id'. then your INSERT Syntax will be like **insert into med_history SET `a1` = "value1"** The id will be missing – xiidea Mar 28 '14 at 10:45
  • i wasn't looking for syntax anyway i can make the queries if i have the array with the requested parameters – Harshit Laddha Mar 28 '14 at 10:45
  • @xiidea i can always append to that string, i haven't executed it yet. else i will change the name of id in the form to match it to the regex – Harshit Laddha Mar 28 '14 at 10:49
  • @xiidea: having an `id` in a table is a good idea, having an index is much better, but these are all optional. – blue Mar 28 '14 at 10:53
  • @blue: LOL. As far I understand **optional** means data may or may not be there. But you have just ignored the data!! :D. Anyway, good thing is you have solved the problem of deadman. – xiidea Mar 28 '14 at 11:00
  • @xiidea - just read the code man. I haven't ignored but rather intentionally dropped some data and commented with three "!" one needs to check its input and adjust the code for one's needs. – blue Mar 28 '14 at 11:06
  • @blue: Yea I can see that. But can't understand why you have _intentionally_ dropped **id** from **sample** data. – xiidea Mar 28 '14 at 11:17
0

simple solution

<?php
$first_string="";
$second_string="";

if(isset($_REQUEST['a1']))
{
$first_string.=",a1";
$second_string.=",$a1"
}
//do this to all values and after u finish u need delete the first (,) from first and second string

$first_string=substr($first_string,1);
$second_string=substr($second_string,1);

include 'conn.php';
$sql="insert into med_history(".$first_string.",$id)values(".$second_string.",id)";
 @mysql_query($sql); 
    echo "Inserted successfully"; 
?>

u can use your skills as a programmer to make the code good and small using for loops,for each ..etc , but this is the general idea to help you with the (not passed parameters error) i hope this is what you looking for

xyzdev
  • 23
  • 7