-3

In my Mysql I have this table. And I want to send data Id is autoincrement

Id insertId invoceTaxApplayId sumOfDist 
 if (isset($_POST['basic'])) {
        $user_string = $_POST['basic'];
        $basic = json_decode($user_string); 
        foreach ($basic as $key => $value){
            $sql2 = "INSERT INTO `insert_tax_applay_map`( `insertId`, `invoceTaxApplayId`, `sumOfDist`) VALUES ('$value','', 5)";
            echo $sql2; //printed
            echo $key;
        }
        exit();
    }

I can see echos, but data isn't sent to mysql.

Maria Hambardzumyan
  • 5
  • 4
  • echo $key or $value also is working – Maria Hambardzumyan Feb 13 '21 at 03:07
  • 4
    you only created an sql string but you haven't executed any sql command. – Anurat Chapanond Feb 13 '21 at 03:13
  • 1
    Two upvotes for an obvious silly mistake? Smells fishy to me – John Conde Feb 13 '21 at 03:14
  • 2
    Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. – John Conde Feb 13 '21 at 03:17
  • Tip: Don't declare SQL statements as variables, only use them as arguments to things like `prepare()` so you don't have a dud like this that doesn't execute. The code you have here is the same as `$sql = "lol"`, it doesn't do anything. – tadman Feb 13 '21 at 04:21
  • 1
    If you're just getting started with PHP and want to build applications, I'd strongly recommend looking at various [development frameworks](https://www.cloudways.com/blog/best-php-frameworks/) to see if you can find one that fits your style and needs. They come in various flavors from lightweight like [Fat-Free Framework](https://fatfreeframework.com/) to far more comprehensive like [Laravel](https://laravel.com/). These give you concrete examples to work from and guidance on how to write your code and organize your project's files as well as standards for defining and executing queries. – tadman Feb 13 '21 at 04:26
  • @JohnConde Nothing wrong with learning or making silly mistakes. – tadman Feb 13 '21 at 04:30
  • 1
    @tadman Than u so much – Maria Hambardzumyan Feb 13 '21 at 10:12

1 Answers1

0

You can fix the issue of not executing and your serious SQL injection bug with one simple trick: Prepared statements with placeholder values!

if (isset($_POST['basic'])) {
  $user_string = $_POST['basic'];
  $basic = json_decode($user_string); 

  // Prepare your database query with placeholder values
  $stmt = $db->prepare("INSERT INTO insert_tax_applay_map (insertId, invoceTaxApplayId, sumOfDist) VALUES (:insertId, :invoiceTaxApplayId, :sumOfDist)");

  // For each entry...
  foreach ($basic as $key => $value) {
    // ...execute the statement with that particular set of values.
    $stmt-execute([
      'insertId' => $value,
      'invoiceTaxApplayId' => '',
      'sumOfDist' => 5
    ]);
  }

  exit();
}

This example uses PDO but can easily be adapted to mysqli or whatever you're using.

Tip: For general guidance on PHP, see PHP the Right Way for more resources.

tadman
  • 208,517
  • 23
  • 234
  • 262