0

I'm wondering if there is any easier way to write the script I want to make.

I am trying to update all the fields in my database with the fields I have on my form for the system settings.

My database structure is: ID settingName Value

I have a function that updates the database for me on the call of

$opt->update_option('optionName', 'value');

Is there a way to specify during the POST what the corresponding optionName to the value would be so I could then run it through a foreach loop and not have to manually write the update_option for every form value?

I.e when the form is posted it sends something like: SiteName:Stackoverflow so I can then run a for loop to split on the delimiter of :

And execute the database update?

Thanks for any input!

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
ConnorM
  • 9
  • 1
  • 7
  • 1
    Are you using a framework? If so which one? – RiggsFolly Oct 25 '16 at 15:56
  • Share your HTML form as well. – Rajdeep Paul Oct 25 '16 at 15:56
  • Build a DataBase connection class. In this class have a method which takes the given array and uses the keys of the array as the column names and the values of the array as the column values. You will need to be careful with things like escaping strings (for column names at least) but you can then use this class on any website you work on (using the same catered for database as in your new class). – Martin Oct 25 '16 at 21:18

1 Answers1

1

You could do something like this:

<input type="text" name="sitename" value="Stackoverflow">

And then:

foreach($_POST as $option => $value) {
    $opt->update_option($option, $value);
}

But to keep the values that you want separate from ones you don't, I would use an array:

<input type="text" name="options[sitename]" value="Stackoverflow">

And then:

foreach($_POST['options'] as $option => $value) {
    $opt->update_option($option, $value);
}

That could be a function that accepts the array. Regardless, in your update_option() function you need to do checking and escaping. Don't just dump the data into a query. See How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
  • Let's hope he is creating a database manager because this is a open door to hackers. – Phiter Oct 25 '16 at 16:00
  • @PhiterFernandes: Yes, take care of that in `update_option()`. – AbraCadaver Oct 25 '16 at 17:01
  • @PhiterFernandes Would you be able to go further into this? What doors would it lead open? I assume you mean SQL injection? – ConnorM Oct 25 '16 at 20:42
  • Would need to see the function, but in there you should check the data and use a parameterized query to use the posted values. – AbraCadaver Oct 25 '16 at 21:14
  • 1
    This is a very deep and complex topic that a full answer to your qustion would be rather large, to explain and show correctly and securely, but AbraCadaver here has given you a good startoff, point for your own learning – Martin Oct 25 '16 at 21:20
  • @ConnorMcCarthy there are MANY things that could go wrong with this. The user could change the input names and values and then he'd be changing another column in the table. That's only the beginning. – Phiter Oct 26 '16 at 01:14