0

I have built a system where I can create a category and a document. the categories live in the cat_list table and the documents live in the doc_list table. there is a column in the doc_list table called cat_no which takes an array or the categories that belong to that doc.

newfile.php

<?php 
require_once '../../db_con.php'; 

try{
    // Selecting entire row from cat_list table
    $results = $dbh->query("SELECT * FROM cat_list");  
}catch(Exception $e) {
    echo $e->getMessage();
    die();
}
$cat = $results->fetchAll(PDO::FETCH_ASSOC);
?>

<form action="actions/newDocAdd.php" method="post" id="rtf" name="">
    <input type="text" name="doc_title" id="doc_title" required="required" placeholder="Document Title"/><br />

<?php

    foreach($cat as $cat){
        echo
        '<input type="checkbox" value="" name=""> ' .$cat["cat_title"]. '</a><br>';
    }
?>   
 <br><br>

    <textarea name="doc_content" id="doc_content" placeholder="Document Content" style="display: none;"></textarea>
    <iframe name="editor" id="editor" style="width:100%; height: 600px;"></iframe>

    <br><br> 
    <input onclick="formsubmit()" type="submit" value="Create Document" name="submit"/>


</form>

I have cut alot out of the form because there is alot of JS because it is a WYSIWYG creator hence the iframe. But the key area is where I lsit out categories above as checkboxes, I need to allow for that to then post a number (or array of numbers if more than one is clicked) into the col_no column in the doc)list table.

Here is the script which posts the data:

<?
session_start();
session_regenerate_id();
if(!isset($_SESSION['user'])){
       header("Location: ../index.php");
    exit;
}


if(isset($_POST["submit"])){
include_once'../../config.php';

try {



$dbh = new PDO("mysql:host=$hostname;dbname=dashboardr",$username,$password);

$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // <== add this line

$sql = "INSERT INTO doc_list (doc_title, doc_content, doc_created, user_id) VALUES ('".$_POST["doc_title"]."','".$_POST["doc_content"]."', NOW(), '".$_SESSION['user']."''".$_POST['cat_no']."' )";

    print_r($_POST);

if ($dbh->query($sql)) {
    header ('Location: ../docList.php?success=1');
}
else{
}

$dbh = null;
}
catch(PDOException $e)
{
echo $e->getMessage();
}

}
?>

UPDATE

<?php

    foreach($cat as $cat){
        echo
        '<input type="checkbox" value="$cat["cat_id"]" name="cat_no"> ' .$cat["cat_title"]. '</a><br>';
    }
?>

So I can get it to post in a value of "0" but I need it to be an array of the ID's of which I am posting, what is it I am doing wrong here?

PhpDude
  • 1,542
  • 2
  • 18
  • 33
  • 1
    Sidenote: If you're going to use PDO, why not use prepared statements? As it stands, you're open to SQL injection. Using PDO on its own without using prepared statements, doesn't safeguard against SQL injection. – Funk Forty Niner May 15 '15 at 13:20
  • 1
    ^^ @Fred-ii- is being too soft here :) - you really must read through [How can I prevent SQL injection in PHP](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) and follow the PDO examples there to use `prepare()/execute(array(...))` to replace these `$_POST` inputs with bound parameters. – Michael Berkowski May 15 '15 at 13:22
  • you are spot on - I have been a bit silly to miss that – PhpDude May 15 '15 at 13:23
  • Do you guys -aside from the obvious issues with SQL injection -- have an idea of how I can post that data in? – PhpDude May 15 '15 at 13:26
  • See these Q&A's http://stackoverflow.com/q/4629022/ and http://stackoverflow.com/q/19815270/ - If you wish to further your research, use "insert array of data mysql pdo" as keywords. – Funk Forty Niner May 15 '15 at 13:29

0 Answers0