-1

The code inserts data into the database. I am having an issue with replacing one of the array value with a variable i.e I want to specify $fac_id as the value instead of fetching the value from an input field. When I execute the code, the value in db is empty but when I echo $fac_id, I get a value for the logged in user such as 7.

$current_user = wp_get_current_user();
$fac_id = get_current_user_id();
for ($i = 0; $i < count($_POST["service"]); $i++) {
    $fields = [
          1 => 'shifttype',
          2 => 'shiftstype',
          3 => ''.$fac_id.'',
          4 => 'cvd',
          7 => 'facname',
          8 => 'facadd',
    ];

    foreach ($fields as $formInputId => $inputValueKey) {
        $d_id = '';
        $appointmentid = $insertId;
        $customerid = $custs->id;
        $forminputid = $formInputId;
        $inputvalue = $_POST[$inputValueKey][$i];
        $inputfilename = 'NULL';

        $insert_cust = "INSERT INTO wp_appointment_custom_data (id, appointment_id, customer_id, form_input_id, input_value, input_file_name) VALUES ('$d_id', '$appointmentid', '$customerid', '$forminputid', '$inputvalue', '$inputfilename')";
        $query_run = mysqli_query ($que_cust, $insert_cust);
    } 
}
El_Vanja
  • 3,660
  • 4
  • 18
  • 21
Danstan Ongubo
  • 105
  • 1
  • 8
  • 1
    Have you tried to debug the values? We can't run this code to test it, you need to supply the debugging details for us. – El_Vanja May 19 '21 at 12:18
  • Take the quotes and concatenation off of ''.$fac_id.'' – Howard E May 19 '21 at 12:24
  • ```echo $fields['3'];``` returns NULL. But ```echo $factype;``` prints ```7``` So the variable is has a value but it doesn't seem to work inside the array. Nothing happens either when I remove the quotes and concatenation. Empty value is sent to db. – Danstan Ongubo May 19 '21 at 12:40
  • [Not reproducible](https://3v4l.org/kAl57). – El_Vanja May 19 '21 at 13:00
  • 2
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman May 19 '21 at 13:00
  • This is the html code I removed because I no longer want the user selecting anything, I need the variable to define the value. `````` Wondering whether removing HTML code which indicates the column name ```input_value``` could be the issue? – Danstan Ongubo May 19 '21 at 13:01
  • 2
    You're not actually inserting `$fac_id` into the database at all. What your `$fields` array does is determine which `$_POST` value to use for each insert. So if you set `$fields['3']` to `7` then it will try to run `$inputvalue = $_POST[$inputValueKey][$i]` using that value - e.g. if `$i` is `0` then it will try to read from `$inputvalue = $_POST[7][0]`. So a) I doubt you have a $_POST field called 7, and b) it's not removing the process of reading from user input. – ADyson May 19 '21 at 13:02
  • 2
    This really ought to give you an "Undefined offset" notice. Do you have error reporting turned on? Do you check your error log or display errors while developing? – El_Vanja May 19 '21 at 13:04
  • BTW that HTML in your comment makes no sense.... A ` – ADyson May 19 '21 at 13:04
  • I changed $_POST[$inputValueKey][$i]; to $inputValueKey[$i]; and data is inserted but I have created another issue. It's splitting characters into each row but it now enters the value as required. – Danstan Ongubo May 19 '21 at 13:12
  • `$inputValueKey` is a string. – El_Vanja May 19 '21 at 13:14
  • Changing ```$_POST[$inputValueKey][$i]``` to ```$inputValueKey[$i]``` solves the issue but I still need the POST because I have fields that require input. So the rest of the fields no longer work and instead characters are sent to db. – Danstan Ongubo May 19 '21 at 13:20

1 Answers1

1

You're not actually inserting $fac_id into the database at all. What your $fields array does is determine which $_POST value to use for each insert.

So if you set $fields['3'] to 7 then it will try to run $inputvalue = $_POST[$inputValueKey][$i] using that value - e.g. if $i is 0 then it will try to read from $inputvalue = $_POST[7][0].

However

a) I doubt you have a $_POST field called 7, and

b) it's not removing the process of reading from user input (although it's making it read a value which probably doesn't exist).

I suspect something like the following would work - you perhaps need a special case for when you want it to read from the fixed server-side value instead of the user input. Note the hard-coded entry for $fields[3] and also the ternary operator on the $inputvalue = line to implement the special case. Also there's no need to re-define $fields repeatedly with the same values, so I've moved it out of the loop.

$current_user = wp_get_current_user();
$fac_id = get_current_user_id();
$fields = [
      1 => 'shifttype',
      2 => 'shiftstype',
      3 => 'userID',
      4 => 'cvd',
      7 => 'facname',
      8 => 'facadd',
];

for ($i = 0; $i < count($_POST["service"]); $i++) {

    foreach ($fields as $formInputId => $inputValueKey) {
        $d_id = '';
        $appointmentid = $insertId;
        $customerid = $custs->id;
        $forminputid = $formInputId;
        $inputvalue = ($inputValueKey == "userID" ? $fac_id : $_POST[$inputValueKey][$i]);
        $inputfilename = 'NULL';

P.S. You should also fix the SQL injection vulnerability in your code urgently, as mentioned in the comments.

ADyson
  • 57,178
  • 14
  • 51
  • 63