0
if (array_key_exists('submit', $_POST)) {   
    foreach ($_POST as $key => $value) {
        ${$key} = mysql_real_escape_string($value); 
        $imp_1 = implode("' '", array_keys($lunch_days)); 
        $imp_2 = implode("' '", array_keys($dinner_days));  
        $imp_3 = implode("' '",$hours_dinner);
        $imp_4 = implode("' '",$hours_lunch);}
        $sql = "INSERT INTO local_eats(..., ...., ...etc.. etc..) VALUES('$...', '$....', '$...', etc.. etc..)";

My question is ever since I added the mysql_real_escape_string() function to all of my $_post variables I can not insert my four implode variables such as $imp_1, $imp_2, $imp_3, $_imp4.

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
user2469375
  • 1
  • 1
  • Then try injecting it (`mysql_real_escape_string()`) directly into your query. – Funk Forty Niner Apr 27 '14 at 02:16
  • such as VALUES($..., $..., implode(' ', array_keys($lunch_days)), .., implode(' ', array_keys($dinner_days)), $...etc)"; – user2469375 Apr 27 '14 at 02:19
  • then would that be: VALUES mysql_real_escape_string(($val1, $val2, $val3, $val4, etc..))"; ? Sorry this is a rather non pro at work on this. thanks – user2469375 Apr 27 '14 at 02:22
  • More like `VALUES ('".mysql_real_escape_string($val1)."', '".mysql_real_escape_string($val2)."'` etc. – Funk Forty Niner Apr 27 '14 at 02:26
  • I tried wrapping the mysql_real_escape_string() formula around all of my values in the second half of the query but it just threw an ugly error message on the webpage once I submit the form. I know that their has got to be an easy way to account for the escaping of apostrophes in my implode() formula that will allow me to input the imploded variables into the sql statement. – user2469375 Apr 27 '14 at 02:34
  • Ok. thanks Fred, I'll try inputting the MySQL_real_escape_string formula that way. – user2469375 Apr 27 '14 at 02:35
  • You can try what I suggested while using `foreach($_POST as &$val) $val = mysql_real_escape_string(htmlspecialchars(trim($value)));` plus, you'd be best using PDO, will save you a lot time wondering about injection. – Funk Forty Niner Apr 27 '14 at 02:40
  • Also try `foreach($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value);...` and dropping `${$key} = mysql_real_escape_string($value);`. I think that could work. You weren't using your `$key` variable. – Funk Forty Niner Apr 27 '14 at 02:41
  • Yes, that did work! Thank you. This can atleast provide a fix until I seek some assistance on a briefer method rather than injecting the formula directly to the sql statement. But Big Thanks again!! – user2469375 Apr 27 '14 at 02:44
  • You're welcome. Which method worked? – Funk Forty Niner Apr 27 '14 at 02:45
  • Other options to test here. I'll give them a fair chance and get back to you.. I know that pdo or mysqli would be better but I'm not using PHP on a daily basis and stick to basics. – user2469375 Apr 27 '14 at 02:46
  • Ok. Just saying that if you want me to put in an answer so we can close the question. Keep me posted. – Funk Forty Niner Apr 27 '14 at 02:47
  • This one worked right `foreach($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value);` ? – Funk Forty Niner Apr 27 '14 at 02:51
  • no the one I tried was inserting the MySQL_real_escape_string around each of my $vars that are likely to contain an apostrophe in the text areas of an online form, such as $restaurant_name, $description. I haven't tried the other suggestions yet. I'll mark your responses as answer! thanks again. – user2469375 Apr 27 '14 at 02:55
  • Ok. Well the important thing is that a solution was found and posted my comments to an answer below. – Funk Forty Niner Apr 27 '14 at 02:57
  • I tried the foreach($_POST as $key => $value) { $_POST[$key] = MySQL_real_escape_string($value); though that prevented anything from going into MySQL database. Each field just showed as NULL. I'm going to stick with the method that worked before and leave it alone for now. thanks. – user2469375 Apr 27 '14 at 03:11
  • You're welcome. Ok. I deleted my answer. No sense in giving you something that didn't work. – Funk Forty Niner Apr 27 '14 at 03:12

1 Answers1

0

Firstly, I have a few suggestions for your design:

  • Arbitrarily converting $_POST keys to variables is a bad idea, if you had an $isAdmin variable and someone passed $isAdmin as a post parameter that variable would be set
  • Arbitrarily defining your schema / queries based on what query parameters are provided is a bad idea, if you had an is_admin column they could pass that as a query parameter and set that field.
  • It's better to use prepared statements via PDO rather than mysql_real_escape_string

My advice would be to use something like this:

if (array_key_exists('submit', $_POST)) {  
    $days = array(
        'monday',
        'tuesday',
        ... etc...
    );

    $sth = $dbh->prepare('INSERT INTO local_eats(lunch_monday, lunch_tuesday, ... dinner_monday, ..., open_dinner_monday, etc.) VALUES(:lunch_monday, :lunch_tuesday, ...etc)');

    foreach($days as $day) {
        if(isset($_POST['lunch_days'][$day])) {
            $sth->bindParam(':lunch_' . $day, 1, PDO::PARAM_INT);   
        } else {
            $sth->bindParam(':lunch_' . $day, 0, PDO::PARAM_INT);       
        }
        // Do the above for the other "groups" of fields
    }

    $sth->execute();
}

This way only certain fields can be set and you're not creating any variables dynamically. I'd also consider changing your schema to have a separate days table if it's unlikely the majority of your entries will be open every day.

thexacre
  • 702
  • 4
  • 9