I'm getting null values after I run the DBEscape($data) function that is for SQL injection protection. Can someone help?
My inputs are all multiple arrays, ex: name="quote[][dt_flight]", name="quote[][acft]", etc.
Method is POST.
function DBEscape($data){
$link = DBConect();
if(!is_array($data)){
$data = mysqli_real_escape_string($link,$data);
}
else {
$arr = $data;
foreach ($arr as $key => $value){
$key = mysqli_real_escape_string($link, $key);
$value = mysqli_real_escape_string($link, $value);
$data[$key] = $value;
}
}
DBClose($link);
return $data;
}
function DBCreate($table, array $data, $insertId = false){
$table = DB_PREFIX.'_'.$table;
$data = DBEscape($data);
var_dump($data);
$fields = implode(", ", array_keys($data));
$values = "'".implode("', '", $data)."'";
$query = "INSERT INTO {$table} ({$fields}) VALUES ({$values});";
var_dump($query);
return DBExecute($query, $insertId);
}
if(isset($_POST["quote"]) && is_array($_POST["quote"])){
foreach($_POST["quote"]["dt_flight"] as $key => $text_field){
$last_id = DBCreate('quote',$_POST['quote'],true);
$i++;
}
}
The connection works since it is inserting the rows into the tables. I used vardump before and after the DBEscape to figure out that it is deleting the values, the keys are fine.
PS: The proposed answer is for a single variable not an array.
As you can see in your var_dump-result, the data you sent to DBCreate and thus to DBEscape looks like
array(
'dt_flight' => array(0 => '2018-06-13'),
'acft' => array(0 => 'VQ-BFD',
// and so on
)
Therfore the data you sent to
// $value = array(0 => '2018-06-13') here
$value = mysqli_real_escape_string($link, $value);
And well, mysqli_real_escape_string doesn't like arrays very much, thus will return NULL and thus inserting empty data in your table.
You most likely want to resolve this error within your foreach($_POST["quote"]["dt_flight"]) loop, since I suppose you sent multiple flight-data:
foreach($_POST["quote"]["dt_flight"] as $key => $text_field) {
// $key would be 0, for $_POST["quote"]["dt_flight"][0] = '2018-06-13'
$keyData = [];
foreach($_POST["quote"] as $field => $allFieldValues) {
// Walk over every field, and add the value for the same $key
if (is_array($data) && isset($allFieldValues[$key])) {
// Would add for example $keyData['acft'] = $_POST['quote']['acft'][0] = 'VQ-BFD';
$keyData[$field] = $allFieldValues[$key];
}
}
var_dump($keyData);
// Would look like array(
// 'dt-flight' => '2018-06-13',
// 'acft' => 'VQ-BFD',
// and so on
// )
$last_id = DBCreate('quote',$keyData,true);
$i++;
}
Although this is not part of your question, I really suggest you also take care of my comment on your question about mysqli_real_escape_string not being a safe way to escape column-names (or table-names and so on). For example with following solution:
function DBCreate($table, array $data, $insertId = false) {
// For each table the known columns
$columns = array( 'quote' => array('dt_flight', 'acft', '...') );
// Verify valid table given
if (!isset($columns[$table])) {
throw new InvalidArgumentException('No such table: ' . $table);
}
// Remove everything from data where the key is not in $columns[$table]
// = Remove everything where the column-name is non-existing or even an attempt to hack your system
$data = array_intersect_key($data, array_fill_keys($columns[$table], null));
if (!count($data)) {
throw new InvalidArgumentException('No (valid) data given at all');
}
// Next, continue with your implementation
}
Related
I need help to optimize the data processing for a form i built.
The datas are send using a ajax script on the form page to a processing page.
And here is the code:
include('pdo-connect.php'); // This file only contains the connection to my database
$html = htmlspecialchars($_POST['HTML']);
$css = htmlspecialchars($_POST['CSS']);
$javascript = htmlspecialchars($_POST['JAVASCRIPT']);
$php = htmlspecialchars($_POST['PHP']);
$ajax = htmlspecialchars($_POST['AJAX']);
$jquery = htmlspecialchars($_POST['JQUERY']);
$responsive = htmlspecialchars($_POST['RESPONSIVE']);
$sql = htmlspecialchars($_POST['SQL']);
$composer = htmlspecialchars($_POST['COMPOSER']);
$symfony = htmlspecialchars($_POST['SYMFONY']);
$doctrine = htmlspecialchars($_POST['DOCTRINE']);
$twig = htmlspecialchars($_POST['TWIG']);
$agile = htmlspecialchars($_POST['AGILE']);
$git = htmlspecialchars($_POST['GIT']);
$python = htmlspecialchars($_POST['PYTHON']);
$seo = htmlspecialchars($_POST['SEO']);
$rgpd = htmlspecialchars($_POST['RGPD']);
$user = htmlspecialchars($_POST['USER']);
$matieres = array(
1 => $html,
$css,
$javascript,
$php,
$ajax,
$jquery,
$responsive,
$sql,
$composer,
$symfony,
$doctrine,
$twig,
$agile,
$git,
$python,
$seo,
$rgpd
);
$insert = $bdd->prepare('INSERT INTO Resultats(ID_USER, ID_MATIERE, RESULTAT) VALUES (:user, :matiere, :resultat)');
foreach($matieres as $key => $value) {
$insert->bindParam(':user', $user);
$insert->bindParam(':matiere', $key);
$insert->bindParam(':resultat', $value);
$insert->execute();
}
$feedback = "Your results have been added";
if(isset($feedback) && !empty($feedback)) {
echo $feedback;
}
First, i want to get rid of all the declared variable who contains all the $_POST data.
I need to automate all the variable getting the $_post data so if i add another row in my table i'll not have to add another variable here
I want to build a function that will do the job for me but i don't know how to proceed since everything i tried didn't work.
Every name of the input i need to store have the same name than the row['Name'] in one of my table in my database.
So i think we can do a simple SQL query but i don't succeed to make it work like that.
( i tried to build a foreach function with $_POST too but it didn't work neither )
And then, once this is done, i need to store the variables containing the user inputs in a array, like i did above
note:
The sql query i was talking about is this one:
$q = $bdd->query('SELECT Nom FROM Matieres WHERE Active = 1');
while($infos = $q->fetch()) {
echo $infos['Nom'];
}
the foreach kind of works. But when i try to get the key and value into a array things starts to get complicated:
$matieres = array();
foreach($_POST as $key => $value) {
$matieres = array(
$key => $value
);
}
var_dump($matieres); // print only one key and one value
print_r($matieres); // same here
print($matieres); // only print the keyword "array"
Meanwhile if i echo the key and the value of each $post in my for each without putting them in a array, i can get every input of the user...
i have found something maybe !
$matieres = array();
foreach($_POST as $key => $value) {
array_push($matieres, $value, $key);
}
print_r($matieres); // print an array containing the name of all of the input and the value the user put in it but they all have their own keys ... :(
Finally i managed to make my code work !
<?php
include('pdo-connect.php');
$results = array();
foreach($_POST as $key => $value) {
array_push($results, $value);
}
$results = array_combine(range(1, count($results)), array_values($results));
array_pop($results);
$user = $_POST['USER'];
$insert = $bdd->prepare('INSERT INTO Resultats(ID_USER, ID_MATIERE, RESULTAT) VALUES (:user, :matiere, :resultat)');
foreach($results as $key => $value) {
$insert->bindParam(':user', $user);
$insert->bindParam(':matiere', $key);
$insert->bindParam(':resultat', $value);
$insert->execute();
}
$feedback = "Votre auto-évaluation a bien été envoyé ! Vous allez
maintenant être redirigé vers l'accueil.";
if(isset($feedback) && !empty($feedback)) {
echo $feedback;
}
?>
Regarding the assignment:
<?php
$inputs = ['HTML', 'CSS', 'JAVASCRIPT'];
$dirty = [];
foreach($inputs as $input) {
$dirty[strtolower($input)] = $_POST[$input] ?? '';
}
And then later, you can use named placeholders and just execute the statement with your given array.
$stmt = $pdo->prepare("INSERT INTO foo (html, css, javascript) VALUES (:html, :css, :javascript)");
$stmt->execute($dirty);
public function add_employee($input)
{
$key_array = null;
$value_array = null;
$bind_array = null;
foreach ($input as $column => $value) {
if ($value) {
#$bind_array => ?, ?, ?;
#$value_array => [$value1, $value2, $value3];
#$key_array => column1, column2, column3;
}
}
$sql = "INSERT INTO ol_employee ($key_array) VALUES ($bind_array)";
$this->db->query($sql, $value_array);
}
Refer to comment in the function, how to achieve that output?
the idea is, from the input POST i get which over 27 fields, i just want to fill in into the $sql query i prepared as you can see. I don't think writing each table column manually is a good way.
im using Codeigniter 4 php framework + postgresql.
According to CodeIgniter 4 documentation, you can do this inside your loop for each employee:
$data = [
'title' => $title,
'name' => $name,
'date' => $date
];
$db->table('mytable')->insert($data);
You can use array and implode function first make array of key_array, value_array and bind_array then use implode() and use in sql like following
public function add_employee($input)
{
$key_array = array();
$value_array = array();
$bind_array = array();
foreach ($input as $column => $value) {
if ($value) {
$bind_array[] = '?';
$value_array[] = $value;
$key_array[] = $column;
}
}
$binds = implode(",",$bind_array);
$keys = implode(",",$key_array);
$values = implode(",",$value_array);
$sql = "INSERT INTO ol_employee ($keys) VALUES ($binds)";
$this->db->query($sql,$values);
}
by the insight of Alex Granados, this is the query i use:
public function add_employee($input)
{
foreach ($input as $column => $value) {
if ($value) {
$data[$column] = $value;
}
}
$this->db->table('ol_employee')->insert($data);
}
this will eliminate null field and regardless how many field, still working good.
as long the input name field from form is same as db column. Else, need to do some changes on that.
Thanks guys.
I have a function that should be updating a row, no errors what so ever in the logs. From what I see it should be working. I took the function from a update user function and tried to mimic it for the new feature.
Here is the data array posting to it.
$data = array('id' => $vid, 'name' => $vname, 'logo' => $vlogo, 'info' => $vinfo, 'site' => $vsite, 'est' => $vest);
The post works, I am doing a dump on the updatecompany page. So they do get set. I think it may be with the function. Any insight would be wonderful!
public static function updateCompany($toUpdate = array(), $company = null){
self::construct();
if( is_array($toUpdate) && !isset($toUpdate['id']) ){
if($company == null){
echo "No company ID set!";
}
$columns = "";
foreach($toUpdate as $k => $v){
$columns .= "`$k` = :$k, ";
}
$sql = self::$dbh->prepare("UPDATE companys SET {$columns} WHERE `id` = :id");
$sql->bindValue(":id", $company);
foreach($toUpdate as $key => $value){
$value = htmlspecialchars($value);
$sql->bindValue(":$key", $value);
}
$sql->execute();
}else{
return false;
}
}
$vid = $_POST["idnum"];
$vname = $_POST["name"];
$vlogo = $_POST["logo"];
$vinfo = $_POST["info"];
$vsite = $_POST["site"];
$vest = $_POST["est"];
I would maybe try using the bind array into your execute() method since you are just binding the values (I assume this is PDO). Another feature is to use an array to assemble the column portions and implode at the time of use.
public static function updateCompany($toUpdate = array(), $company = null)
{
# Also this may supposed to be: self::__construct(); ?? Notice the "__" before "construct"
self::construct();
if(is_array($toUpdate) && !isset($toUpdate['id'])) {
if(empty($company)){
# Throw exception, catch it in a parent wrapper
throw new \Exception("No company ID set!");
# Stop, no sense in continuing if an important part is missing
return;
}
foreach($toUpdate as $k => $v){
$bKey = ":{$k}";
# I would create a bind array here
$bind[$bKey] = $value;
# I generally save to an array here to implode later
$columns[] = "`{$k}` = {$bKey}";
}
# Add the id here
$bind[":id"] = $company;
# I would use a try here for troubleshooting PDO errors
try {
# Create sql with imploded columns
$sql = self::$dbh->prepare("UPDATE companys SET ".implode(",",$columns)." WHERE `id` = :id");
# Throw the bind array into the execute here
$sql->execute($bind);
}
catch(\PDOException $e) {
# I would only die here to see if there are any errors for troubleshooting purposes
die($e->getMessage());
}
} else {
return false;
}
}
Your update SQL could not work because you have comma in update value set.
See, you attached comma without any consideration:
$columns = "";
foreach($toUpdate as $k => $v){
$columns .= "`$k` = :$k, ";
}
Then the final SQL will look something like this:
UPDATE companys SET `name`=:name, `logo`=:logo, WHERE `id`=:id
Do you notice the comma just before WHERE? it should not be there!
So you should update the code like following:
$columns = "";
foreach($toUpdate as $k => $v){
if ($columns != "") $columns .= ",";
$columns .= "`$k` = :$k ";
}
This should be working.
or to no need to be aware of last comma try this:
$columns = array();
foreach($toUpdate as $k => $v){
$columns[] = "`$k` = :$k";
}
$sql = self::$dbh->prepare("UPDATE `companys` SET ".implode(',', $columns)." WHERE `id` = :id");
I have a PHP array of the column names in my SQL table. I also have an array of the values I want to assign to these columns. How do I put this in an SQL query. At present im writing out each column title like so:
$query = "INSERT INTO `first_page_data`(`a`, `b`, `c`, `d`, `e`, `f`, `g`, `h`)
VALUES ('$1','$2','$3','$4','$5','$6','$7','$8')";
But there must be a way of just using the arrays?
As an extra, is there a way of defining key/value pairs to keep the two pairs of data together, and then using these to insert into the database? how is this formatted in the SQL query?
Here's another similar solution.
Code:
<?php
function mysql_insert_array($table, $data, $exclude = array()) {
$fields = $values = array();
if( !is_array($exclude) ) $exclude = array($exclude);
foreach( array_keys($data) as $key ) {
if( !in_array($key, $exclude) ) {
$fields[] = "`$key`";
$values[] = "'" . mysql_real_escape_string($data[$key]) . "'";
}
}
$fields = implode(",", $fields);
$values = implode(",", $values);
if( mysql_query("INSERT INTO `$table` ($fields) VALUES ($values)") ) {
return array( "mysql_error" => false,
"mysql_insert_id" => mysql_insert_id(),
"mysql_affected_rows" => mysql_affected_rows(),
"mysql_info" => mysql_info()
);
} else {
return array( "mysql_error" => mysql_error() );
}
}
?>
Example usage:
<?php
// Open database here
// Let's pretend these values were passed by a form
$_POST['name'] = "Bob Marley";
$_POST['country'] = "Jamaica";
$_POST['music'] = "Reggae";
$_POST['submit'] = "Submit";
// Insert all the values of $_POST into the database table `artists`, except
// for $_POST['submit']. Remember, field names are determined by array keys!
$result = mysql_insert_array("artists", $_POST, "submit");
// Results
if( $result['mysql_error'] ) {
echo "Query Failed: " . $result['mysql_error'];
} else {
echo "Query Succeeded! <br />";
echo "<pre>";
print_r($result);
echo "</pre>";
}
// Close database
?>
Source: Inserting An Array into a MySQL Database Table
//Insert ( var , Array )
function insert($table, $inserts) {
$values = array_map('mysql_real_escape_string', array_values($inserts));
$keys = array_keys($inserts);
return mysql_query('INSERT INTO `'.$table.'` (`'.implode('`,`', $keys).'`) VALUES (\''.implode('\',\'', $values).'\')');
}
/* Samples
insert('first_page_data', array(
'a' => 'Just Persian Gulf',
'b' => 'DB9',
'c' => '2009'
));
*/
it's good And Rapid!
Using PHP:
Getting your values into an array as $key => $value depends on the situation, but manually it would happen like so:
$array = array(`a` => '$1',`b` => '$2', ...and so on); //I am assuming that $ is not a variable indicator since it is inside single quotes.
There are a variety of array functions that can help you if you have existing arrays that you would rather manipulate to create the final array.
Once you have it, however:
$query = 'INSTERT INTO `first_page_data` (';
foreach ($array as $key => $value) {
$query .= '`' . $key . '`';
}
$query .= ') VALUES (';
foreach ($array as $value) {
$query .= '`' . $value . '`';
}
$query .= ')';
The code runs a foreach on the array twice, once to get the key and append it to the appropriate part of the string, and the other to add the corresponding values.
Try serialize() before the INSERT and unserialize() to get the array after a SELECT.
You need only one field to insert all the data.
http://ca1.php.net/manual/fr/function.serialize.php
http://ca1.php.net/manual/fr/function.unserialize.php
# Insert this array
$arr = array("sounds" => "one", "sound" => "two", "big" => "blue");
function addQuotes($str){
return "'$str'";
}
# Surround values by quotes
foreach ($arr as $key => &$value) {
$value = addQuotes($value);
}
# Build the column
$columns = implode(",", array_keys($arr));
# Build the values
$values = implode(",", array_values($arr));
# Build the insert query
$query = "INSERT INTO table (".$columns.") VALUES (".$values.")";
echo $query;
// returns
INSERT INTO table (sounds,sound,big) VALUES ('one','two','blue')
At the moment my code looks like this:
# Assign values for saving to the db
$data = array(
'table_of_contents' => $_POST['table_of_contents'],
'length' => $_POST['length']
);
# Check for fields that may not be set
if ( isset($_POST['lossless_copy']) )
{
$data = array(
'lossless_copy' => $_POST['lossless_copy']
);
}
// etc.
This would lead to endless if statements though... Even with the ternary syntax it's still messy. Is there a better way?
How about this:
// this is an array of default values for the fields that could be in the POST
$defaultValues = array(
'table_of_contents' => '',
'length' => 25,
'lossless_copy' => false,
);
$data = array_merge($defaultValues, $_POST);
// $data is now the post with all the keys set
array_merge() will merge the values, having the later values override the previous ones.
If you don't want to trust array_merge() then you can do a foreach() loop.
You could build an array of optional fields:
$optional = array('lossless_copy', 'bossless_floppy', 'foo');
foreach ($optional as $field) {
if (isset($_POST[$field])) {
$data[$field] = $_POST[$field];
}
}
foreach ($_POST as $key => $value) {
$data[$key] = $value;
}
remember to sanitize your $_POST values!
edit: if you're looking to match up optional $_POST values with fields that may or may not exist in your table, you could do something like this (i'm assuming you're using mysql):
$fields = array();
$table = 'Current_Table';
// we are not using mysql_list_fields() as it is deprecated
$query = "SHOW COLUMNS from {$table}";
$result = mysql_query($query);
while ($get = mysql_fetch_object($result) ) {
$fields[] = $get->Field;
}
foreach($fields as $field) {
if (isset($_POST[$field]) ) {
$data[$field] = $_POST[$field];
}
}
$formfields = $_POST;
$data = array();
foreach(array_keys($formfields) as $fieldname){
$data[$fieldname] = $_POST[$fieldname];
}
This will add all fields that are returned including submit. If you need to know if a checkbox has not been checked, you're going to have to use code like you posted. If you only care about checkboxes that are checked, you can use the above code.
This would probably not work for multiple formfields using the same name, like radio buttons.
EDIT: Use Owen's code, it's cleaner, mine is a more verbose version of the same thing.