PHP insert array from multiple checked checkbox and text input into mySQL

Question

I have an issue when trying to insert info coming from a form which is generated dynamically in php. The form consists of of an variable amount of inputs which all consists of four input elements. See below how my form is generated:

<?php $result = mysql_query("SELECT id,name,description FROM todo_q WHERE todo_id = $todo_id AND active = 'y'");
                while($todo_q=mysql_fetch_array($result)){

                                                echo '<label>';
                                                echo $todo_q['name'];
                                                echo '</label><br>'; 

                                                echo '<input type="checkbox" name="value[]" value="y" />';
                                                //echo '<input type="hidden" name="value[]" value="n" />';

                                                echo '<label>';
                                                echo $todo_q['description'];
                                                echo '</label><br>';
                                                echo '<input type="text" id="comment" name="comment[]">';

                                                echo '<input type="hidden" name="user_id[]" value="';
                                                echo $user_id;
                                                echo '" />';
                                                echo '<input type="hidden" name="todo_id[]" value="';
                                                echo $todo_q['id'];
                                                echo '" />';
                                                echo '<HR>';

                                                }?>

And this is how I try to insert the info into mySQL:

    $query = "INSERT INTO todo_a (value, comment, user_id, todo_id) VALUES ";
$query_parts = array();
for($x=0; $x<count($_POST["value"]); $x++){
    $query_parts[] = "('" . $_POST['value'][$x] . "','" . $_POST['comment'][$x] . "'," . $_POST['user_id'][$x] . "," . $_POST['todo_id'][$x] . ")";


    }
    $q_parts = $query_parts;

        foreach ($q_parts as $q_p){

            $insert = ($query .= implode(',', $query_parts));
            $result = mysql_query($insert);
        }

The problem I have is that when check all checkboxes and comments everything is inserted on the right row in the DB, but if I skip to check one checkbox then it gets messed up...

I would like it the insert a new row if it the checkbox is checked and/or a comment is entered. Can anybody point me in the right direction?

I tried to put a hidden input to get the value of unchecked checkboxes but i doesn't seem to work.. That why I have commented out the hidden checkbox.

PS. I know I should be using mysqli but this is an older site that I haven't upgraded yet..

**Obligatory warning: Please please please don't use this code in production..**. Sanitize your queries to prevent some XSS.. Also have you checked this related issue ? http://stackoverflow.com/questions/5640298/php-insert-data-from-checkbox-array-into-mysql?rq=1 — Pogrindis, Apr 18 '17 at 15:16
FYI, [you shouldn't use `mysql_*` functions in new code](http://stackoverflow.com/questions/12859942/). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [red box](http://php.net/manual/en/function.mysql-connect.php)? Learn about [*prepared statements*](https://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which one is best for you. — John Conde, Apr 18 '17 at 15:18
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). — John Conde, Apr 18 '17 at 15:18

Camille · Accepted Answer · 2017-04-18T16:11:58.170

You need to add index into input checkbox and comment name like :

$cbIndex = 0;
while($todo_q=mysql_fetch_array($result)){  
    echo '<label>';
    echo $todo_q['name'];
    echo '</label><br>'; 
    // Generate checkbox with index of current result
    echo '<input type="checkbox" name="value[' . $cbIndex . ']" value="y" />';
    // Generate comment with index of current result
    echo '<input type="text" id="comment" name="comment[' . $cbIndex . ']">';
    echo '<input type="hidden" name="user_id[' . $cbIndex . ']" value="';
    echo $user_id;
    echo '" />';
    echo '<input type="hidden" name="todo_id[' . $cbIndex . ']" value="';
    echo $todo_q['id'];
    echo '" />';
    echo '<HR>';
    // Inc of index
    $cbIndex++;
}

When you submit your form, only checked checkbox will appear in $_POST["value"] :

foreach ($_POST["value"] as $cbIndex => $cbValue) {
    $query_parts[] = "('" . $_POST['value'][$cbIndex] . "','" . $_POST['comment'][$cbIndex] . "'," . $_POST['user_id'][$cbIndex] . "," . $_POST['todo_id'][$cbIndex] . ")";
    // or
    $query_parts[] = "('" . $cbValue . "','" . $_POST['comment'][$cbIndex] . "'," . $_POST['user_id'][$cbIndex] . "," . $_POST['todo_id'][$cbIndex] . ")";
}
...

Btw, you don't need to store value of checkbox, that will be 'y' all the time.

INFO That will be fine for a test app, but as commented by @Pogrindis and @John Conde, it's not safe code. MySQLi/PDO + prepare statement will avoid SQL injection.

Thank you @camille for your suggestion. It seems to work. And I will not use this as is in a "live" app. For now it's just a test. — user2533103, Apr 18 '17 at 17:17

PHP insert array from multiple checked checkbox and text input into mySQL

1 Answers1