0

My code is:

if (isset($_POST['add'])) {
    $query = "INSERT INTO ".$dbPrefix."posts (`id`, `user`, `name`, `link`, `content`, `date`, `private`, `password`) VALUES (NULL, '$user', '$name', '$link', '$content', '$date', '$private', '$pass');";
    $mysqli->query($query) OR $status = 'Oprostite, pri dodajanju je prišlo do težave.';
    $id=$mysqli->insert_id;
    foreach ($_POST['categories'] as $category) {
        $categoryQuery.="INSERT INTO ".$dbPrefix."category_posts (`categoryID`, `postID`) VALUES ('".$category."','".$id."');";
    }
    $mysqli->query($categoryQuery) OR $status = $mysqli->error;
}
echo $status;

My variable $_POST is:

Array
(
    [name] => ((((((((((
    [description] => ))))))
    [keywords] => 
    [categories] => Array
        (
            [0] => 1
            [1] => 2
            [2] => 3
        )

    [private] => 0
    [password] => 
    [date] => 0
    [datetime] => 
    [add] => Dodaj
)

If I print the query and run it in phpMyAdmin there is no problem, otherwise it will display an error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO fc_category_posts (`categoryID`, `postID`) VALUES ('2','116');INSERT' at line 1

Query is:

INSERT INTO fc_category_posts (`categoryID`, `postID`) VALUES ('1','116');
INSERT INTO fc_category_posts (`categoryID`, `postID`) VALUES ('2','116');
INSERT INTO fc_category_posts (`categoryID`, `postID`) VALUES ('3','116');
Coding Duchess
  • 6,445
  • 20
  • 113
  • 209
Filip Š
  • 746
  • 2
  • 13
  • 22
  • 4
    Seems like you can only pass one INSERT at the time. – jarlh Aug 23 '16 at 14:16
  • how can customize the code that will work – Filip Š Aug 23 '16 at 14:18
  • You just need to change your loop code to this: `foreach ($_POST['categories'] as $category) { $categoryQuery ="INSERT INTO ".$dbPrefix."category_posts (`categoryID`, `postID`) VALUES ('".$category."','".$id."');"; $mysqli->query($categoryQuery);` } – Hackerman Aug 23 '16 at 14:20
  • 2
    You cannot run more than one query statement in a single `query()` call, as a basic defense mechanism against ONE form of [sql injection attack](http://bobby-tables.com), which your code is utterly vulnerable to. – Marc B Aug 23 '16 at 14:24

2 Answers2

4

If you can only pass the one INSERT then why not do it like this;

INSERT INTO fc_category_posts (`categoryID`, `postID`) 
VALUES ('1','116'),('2','116'),('3','116');

Saves you running multiple INSERT INTO statements.

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Rich Benner
  • 7,873
  • 9
  • 33
  • 39
2

Just simply move the execution of the query inside the loop

if (isset($_POST['add'])) {
    $query = "INSERT INTO ".$dbPrefix."posts 
                   (`id`, `user`, `name`, `link`, `content`, `date`, 
                    `private`, `password`) 
               VALUES (NULL, '$user', '$name', '$link', '$content', '$date', 
                       '$private', '$pass');";

    $mysqli->query($query) OR $status = 'Oprostite, pri dodajanju je prišlo do težave.';
    $id=$mysqli->insert_id;
    foreach ($_POST['categories'] as $category) {

        //Note I have chnages `.=` to `=` in this statement
        $categoryQuery = "INSERT INTO ".$dbPrefix."category_posts 
                                   (`categoryID`, `postID`) 
                            VALUES ('$category','$id');";

        $mysqli->query($categoryQuery) OR $status = $mysqli->error;
    }

}
echo $status;

However Your script is at risk of SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared parameterized statements

In this senario it would also be useful for you to consider running these inside a transaction so that if one insert fails you wont leave the darabase in a mess The manual for mysqli::begin_transaction

Community
  • 1
  • 1
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149