2

I have four fields. Two name fields and two email fields. I have to insert all fields data by foreach loop but when I insert data through foreach loop, a blank entry also inserts in database.

sample code

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="UTF-8">
        <title></title>
    </head>
    <body>
        <form method="post">
            Name : <input type="text" name="name[]"><br>
            Email : <input type="text" name="email[]"><br>
            Name : <input type="text" name="name[]"><br>
            Email : <input type="text" name="email[]"><br>
            <input type="submit" name="submit">
        </form>
    </body>
</html>

[![<?php
if(isset($_POST['submit']))
{
    $conn = mysqli_connect("localhost", "root", "", "practice");
    $i=0;

    foreach($_POST as $val)
    {
        $name=$_POST['name'][$i];
        $email=$_POST['email'][$i];

        $sql = "insert into interview (Name, Email) values ('$name', '$email')";
        $result = mysqli_query($conn, $sql);
        $i++;

    }

}
?>

Can anybody help me ?

This is my database table screen shot.

Sandeep Kumar
  • 159
  • 3
  • 12
  • It's an sample code for dynamic created input fields. In above code , I used hard coded input fields two times. Literally it is not like this. Mainly I had faced problem during dynamic created input fields. – Sandeep Kumar Oct 07 '16 at 21:41
  • Do this now! http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?s=1|25.2627 – AbraCadaver Oct 08 '16 at 02:03

3 Answers3

3

First, see here How can I prevent SQL injection in PHP? Do your query differently or you're screwed.

Since name and email are indexed the same, just loop one and reference the other by key:

foreach($_POST['name'] as $key => $val) {
    $name  = $val;
    $email = $_POST['email'][$key];

   // prepared statement query
}

Or you could do inputs like this to get arrays more like database rows:

Name  : <input type="text" name="data[0][name]"><br>
Email : <input type="text" name="data[0][email]"><br>

Then loop it easily:

foreach($_POST['data'] as $val) {
    $name  = $val['name'];
    $email = $val['email'];
}
Community
  • 1
  • 1
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
3
#Simple Answer!
foreach($_POST['name'] as $index => $val) {
    $name  = $val;
    $email = $_POST['email'][$index];

    $sql = "insert into interview (Name, Email) values ('$name', '$email')";
    $result = mysqli_query($DB_Connection, $sql);
}
Dennisrec
  • 333
  • 2
  • 22
1

We note that 'submit' is also a value in $_POST.

It looks like the code will go through the loop three times, one time for each of 'submit', 'name' and 'email'. (It might be going through the loop five times, not sure? I'd just echo $val in the loop to see what's going on.)

It looks like you are attempting to loop through either $_POST['name'] or $_POST['email'], rather than just $_POST.

As long as you get an equal number in each of those, it shouldn't matter which.

Code appears to be vulnerable to SQL Injection.

If there is some (unfathomable) reason you can't use prepared statement with bind placeholder, any potentially unsafe values need to be properly escaped. PHP has a mysqli_real_escape_string function which is expressly designed for this purpose.

Also, there doesn't appear to be any check for an error being returned from mysqli_query. It looks like the code is putting its figurative pinky finger to the corner of its mouth, Dr.Evil style, and saying "I just assume it will all go to plan. What?"

spencer7593
  • 106,611
  • 15
  • 112
  • 140