how to insert multiple bids value in a coloumn

Question

I'm trying to insert multiple bids like from -to in a column 'bidamount'. I have did some coding in for database and some code I have did for multiple bids but what I'm getting here whenever I'm inserting the value like 3.1 to 8.1. It is inserting a value 8.1 and 0. This one is not inserting all the value from 3.1 to 8.1 in column bidamount in table of a database.

I'm new here in php so I'm not getting exact things what is wrong with these code. Please help me in this.

My code :

<?php

$con = mysql_connect("localhost","root","");
if(!$con) {
    die('Could not connect: ' . mysql_error());
 }
 mysql_select_db("gunjanbid", $con) or DIE('Database name is not available!'); 

 if(isset($_POST['submit'])) {
     $m=$_POST['bidamount'];
     $n=$_POST['bidamount'];
     for($bidd=$m;$bidd<=$n;$bidd++)   
         $bidds=array($bidd);   
         $username=$_SESSION['userName'];
         $productid=$_GET['id'];

         $sql1="INSERT INTO bid(productid,description,closing_date,bidamount,userName)      values('$productid','$r',Now(),'$bidds','$username')";

         $result1=mysql_query($sql1);
         if($result1!=1) {
             echo "failure!";
          }
       }

   ?>

<form action="" name="auction1"   method="post" >
    <input type="hidden" name="description" value="">
    <input type="hidden" name="closing_date" value="">
    <input  type="text"  name="bidamount" value="" size="5">&nbsp;&nbsp;to&nbsp;&nbsp;
    <input  type="text" name="bidamount" value="" size="5" >
    <input type="submit" name="submit" class="button" value="Bid Now">
</form>

Please help me. I'm new in php.

Answer 1

I suggest you to use this code $bid = explode("to",$_POST['bidamount']); $m = $bid[0]; $n = $bid[1]; instead of $m = $_POST['bidamount']; $n = $_POST['bidamount'];

Answer 2

Firstly: If you want to submit multiple values with the same name, you can put brackets after the name, like name="bidamount[]", and PHP will assemble them into an array for you.

Secondly, though, MySQL doesn't understand arrays. It doesn't like storing more than one value in a column. And quite frankly, you don't want to do it anyway. Seriously. It causes more trouble than it's worth.

• Discrete values are harder to get. Since there's no "array" type in MySQL, you end up having to parse a string and other such junk to get your individual values back. Getting two values from two columns, on the other hand, is much simpler.
• MySQL can't help you keep the data valid. All it sees is a big bunch of characters/bytes. It can't do but so much with the individual pieces. It can't enforce uniqueness, for example.
• It makes indexes useless. Once you have to parse each string in order to find stuff in it, you've pretty much killed any chance of MySQL being able to use indexes to speed up the query.P

If your two values represent a "low" and "high", then call them that, and store them as separate fields.

If they're just two arbitrary amounts, on the other hand -- and particularly if you anticipate having more than two -- then they should each be part of their very own row in another table.

---

As for the code: though it's not part of the question, there are a couple of other issues.

• mysql_query is deprecated. (Read: not even the authors of PHP think you should use it.) Stop farting around with it. There are much better ways of talking to a database.

• You're trusting the user way too much.

  Open up the page, then go into your browser's dev tools. find the hidden fields, and change the description to "Joe's item". Submit the form, and it should break. The reason is that SQL uses ' for quotes. One being in your string throws off the quoting and corrupts the SQL.

  It's bad enough that this can be done accidentally -- but some people will do it on purpose, and can supply just the right data to trick your server into running SQL it shouldn't. That's called "SQL injection", and it can be a pretty serious security issue.

  You could work around this issue by simply stripping ' out of your input. But frankly, that's almost as half-assed as just saying "Don't use apostrophes!!11!11". And there is at least one other special character in strings as well.

If you use a more modern database extension, like PDO, you can fix the first two issues at once. Watch:

    <?php

    if ($_POST['submit']) {
        // By the way, you don't need to create the DB connection if you don't need to
        // mess with the DB.  :)
        $con = new PDO('mysql:host=localhost;dbname=gunjanbid', 'root', '');

        $low = $_POST['low'];
        $high = $_POST['high'];
        $id = $_GET['id'];
        $description = $_POST['description'];
        $user = $_SESSION['username'];

        // PDO has a `query` method that works much like `mysql_query`.  But that does
        // absolutely nothing to fix the SQL injection issue.
        //
        // Instead, use a prepared statement.  You can insert placeholders (?) for data,
        // and when you run the statement later with the real data, PDO and MySQL know which
        // stuff is data and which is SQL.  Since they're kept separate, the data won't have
        // a chance to be interpreted as part of the SQL.
        $stmt = $con->prepare('
            INSERT INTO bid (productid, description, closing_date, userName, low, high)
            VALUES (?, ?, NOW(), ?, ?, ?)
        ');

        if (!$stmt->execute([$id, $description, $user, $low, $high])) {
            echo 'Failure!';
        }
    }

    ?>