Best Practice : Store Large Form Values into Database - php

Suppose I've a large form, 25 fields consisting of textboxes, radio buttons, checkboxes, select tags, textareas etc.
Once the form is submitted, what would be the best way to collect those values and then store them into database; by best practice I mean using as minimal lines of code as possible.
There is the traditional way:
$name = $_POST['name'];
$age = $_POST['age'];
$city = $_POST['city'];
which is definitely not the way to go.
There is then another way :
foreach($_POST['submit'] as $key=>$val)
{
$$key = $val;
}
but again this will require a huge INSERT SQL statement:
"INSERT INTO tablename (col1, col2, col3, col4,...col25)
VALUES('$var1', '$var2', '$var3',.....'$var25')"
Using foreach to capture values is good, but then it comes with an elongated SQL INSERT statement. I'm sure there must a better way to use the INSERT statement. Ideas, suggestions, critics are all welcome.
Thanks,
Nisar


You don't need that traditional way, you can use extract function like:
extract($_POST);
This will make all indexes as variables with values.
In other way, to store in database, you can either serialize values or store in JSON format. And then store whole form values as single entry in DB (if there is nothing relational and purpose is only to store values.)


In HTML change as follows
<input type="text" name="pval[name]" value="test" />
<input type="city" name="pval[city]" value="Bangalore" />
Then in the server side
Updated :
// Need to have the predefined array which is having valid fields
$fields = array('name', 'city');
$pval = $_POST['pval'];
foreach( $pval as $field_name => $val ){
if( ! isset($fields[$field_name]) ){ // If it is not a valid field name
unset($pval[$field_name]);
}
}
if( count($pval) > 0 ){
$pval = array_map( 'mysql_real_escape_string', $pval );
//Then its easy to write the query as follows
$qry = "INSERT INTO table_name( ". implode( ',', array_keys( $pval ) ) .") values( '". implode( "','", $pval ) . "')";
}

Related

Inserting a variable with multiple values into a mysql database

I thought I would edit my question as by the comment it seems this is a very insecure way of doing what I am trying to acheive.
What I want to do is allow the user to import a .csv file but I want them to be able to set the fields they import.
Is there a way of doing this apart from the way I tried to demonstrate in my original question?
Thank you
Daniel
This problem I am having has been driving me mad for weeks now, everything I try that to me should work fails.
Basically I have a database with a bunch of fields in.
In one of my pages I have the following code
$result = mysql_query("SHOW FIELDS FROM my_database.products");
while ($row = mysql_fetch_array($result)) {
$field = $row['Field'];
if ($field == 'product_id' || $field == 'product_name' || $field == 'product_description' || $field == 'product_slug' || $field == 'product_layout') {
} else {
echo '<label class="label_small">'.$field.'</label>
<input type="text" name="'.$field.'" id="input_text_small" />';
}
}
This then echos a list of fields that have the label of the database fields and also includes the database field in the name of the text box.
I then post the results with the following code
$result = mysql_query("SHOW FIELDS FROM affilifeed_1000.products");
$i = 0;
while ($row = mysql_fetch_array($result)) {
$field = $row['Field'];
if ($field == 'product_name' || $field == 'product_description' || $field == 'product_slug' || $field == 'product_layout') {
} else {
$input_field = $field;
$output_field = mysql_real_escape_string($_POST[''.$field.'']);
}
if ($errorcount == 0) {
$insert = "INSERT INTO my_database.products ($input_field)
VALUES ('$output_field')";
$result_insert = mysql_query($insert) or die ("<br>Error in database<b> ".mysql_error()."</b><br>$result_insert");
}
}
if ($result_insert) {
echo '<div class="notification_success">Well done you have sucessfully created your product, you can view it by clicking here</div>';
} else {
echo '<div class="notification_fail">There was a problem creating your product, please try again later...</div>';
}
It posts sucessfully but the problem is that it creates a new "row" for every insert.
For example in row 1 it will post the first value and then the rest will be empty, in row 2 it will post the second value but the rest will be empty, row 3 the third value and so on...
I have tried many many many things to get this working and have researched the foreach loop which I haven't been familiar with before, binding the variable, imploding, exploding but none of them seem to do the trick.
I can kind of understand why it is doing it as it is wrapped in the while loop but if I put it outside of this it only inserts the last value.
Can anyone shed any light as to why this is happening?
If you need any more info please let me know.
Thank you
Daniel

You're treating each field you're displaying as its own record to be inserted. Since you're trying to create a SINGLE record with MULTIPLE fields, you need to build the query dynamically, e.g.
foreach ($_POST as $key => $value);
$fields[] = mysql_real_escape_string($key);
$values[] = "'" . msyql_real_escape_string($value) . "'";
} // build arrays of the form's field/value pairs
$field_str = implode(',', $fields); // turn those arrays into comma-separated strings
$values_str = implode(',', $values);
$sql = "INSERT INTO yourtable ($field_str) VALUES ($value_str);"
// insert those strings into the query
$result = mysql_query($sql) or die(mysql_error());
which will give you
INSERT INTO youtable (field1, field2, ...) VALUES ('value1', 'value2', ...)
Note that I'm using the mysql library here, but you should avoid it. It's deprecated and obsolete. Consider switching to PDO or mysqli before you build any more code that could be totally useless in short order.
On a security basis, you should not be passing the field values directly through the database. Consider the case where you might be doing a user permissions management system. You probably wouldn't want to expose a "is_superuser" field, but your form would allow anyone to give themselves superuser privileges by hacking up their html form and putting a new field saying is_superuser=yes.
This kind of code is downright dangerous, and you should not be using it in a production system, no matter how much sql injection protect you build into it.

Alright....I can't say that I know exactly whats going on but lets try this...
First off....
$result = mysql_query("SHOW FIELDS FROM my_database.products");
$hideArray = array("product_id","product_name","product_description", "product_slug","product_layout");
while ($row = mysql_fetch_array($result)) {
if (!in_array($row['Field'], $hideArray)){
echo '<label class="label_small">'.$field.'</label>
<input type="text" name="'.$field.'" id="input_text_small" />';
}
}
Now, why you would want to post this data makes not sense to me but I am going to ignore that.....whats really strange is you aren't even using the post data...maybe I'm not getting something....I would recommend using a db wrapper class...that way you can just through the post var into....ie. $db->insert($_POST) ....but if you ware doing it long way...
$fields = "";
$values = "";
$query = "INSERT INTO table ";
foreach ($_POST as $key => $data){
$values .= $data.",";
$fields .= $fields.",";
}
substr($values, 0, -1);
substr($fields, 0, -1);
$query .= "(".$fields.") VALUES (".$values.");";
This is untested....you can also look into http://php.net/manual/en/function.implode.php so you don't have to do the loop.
Basically you don't seem to understand what is going on in your script...if you echo the sql statements and you can a better idea of whats going....learn what is happening with your code and then try to understand what the correct approach is. Don't just copy and paste my code.

Using $_POST in While PHP Question

I'm trying get some information via $_POST in PHP, basically at the moment i'm using this:
$item_name1 = $_POST['item_name1'];
$item_name2 = $_POST['item_name2'];
$item_name3 = $_POST['item_name3'];
$item_name4 = $_POST['item_name4'];
I want to insert each of the item names in a table field with mysql so i'm trying to experiment with the while php loop so i dont have lots of $item_name variables:
$number_of_items = $_POST['num_cart_items'];
$i=1;
while($i<=$number_of_items)
{
$test = $_POST['item_name'. $i''];
$i++;
}
The above code fails, its pretty tricky to explain but the code should find all the item_name $_POST and make it as a variable for mysql insertion.
The $_POST['num_cart_items'] is the total number of items.
The code is for a PayPal IPN listener for a shopping cart that is underway.
Help appreciated.
EDIT:
I have this further up the document which i just realised:
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
How can i insert $_POST['item_name1'], $_POST['item_name2'] as a variable for mysql insertion?

Your loop is effectively overriding the $test variable on each iteration:
$test = $_POST['item_name'. $i''];
If you want to put them in an array, change to $test[]. Also it contains the parse error as mentioned by brian_d.
It sounds a little scary to have a variable num_cart_items that is sent with the form. Are you setting it with JavaScript? The user can manipulate it. You should not rely on it. I belive what you need is to make the form feilds as:
<input type="text" name="item_name[]" />
Note the square brackets at the end of the name. This will create an array in the $_POST array: $_POST['item_name'] will contain the names of all the items.
Then, how is your DB structured? I guess you want to insert them in one query as:
INSERT INTO ORDERS VALUES (item_name_1, ...), (item_name_2, ...)
If so you can make a string out of the array:
$query = 'INSERT INTO ORDERS VALUES ';
foreach($_POST['item_name'] as $item_name){
$query .= '('.stripslashes($item_name). /*put other column values*/ '),';
}
$query = rtrim($query, ',');
Note that the use of addslashes is not enough to protect you from SQL injection.

$test = $_POST['item_name'. $i'']; is a syntax error.
remove the end '' so it becomes:
$test = $_POST['item_name'. $i];

php $_POST to get values - not the best way

EDIT:
Thank you so much for your answers, you really amaze me with so much wisdom :)
I am trying to relay on TuteC's code a bit changed, but can't figure how to make it work properly:
$valor = $_POST['valor'];
$post_vars = array('iphone3g1', 'iphone3g2', 'nome', 'iphone41', 'postal', 'apelido');
foreach($post_vars as $var) {
   $$var = "'" . mysql_real_escape_string($_POST[$var]). "', ";
}
$sql = "INSERT INTO clientes (iphone3g1, iphone3g2, nome, iphone41, postal, apelido, valor) VALUES ($$var '$valor')";
$query= mysql_query($sql);
I know there's a bit of cheating on the code, i would need to use substring so the $$var wouldn't output a "," at the end where i need the values, instead i tried to insert a variable that is a value ($valor = $_POST['valor'];)
What is going wrong?
And for the others who tried to help me, thank you very much, i am learning so much with you here at stackoverflow.
I have a form with several field values, when trying to write a php file that reads those values it came out a mostruosity:
$codigounico= md5(uniqid(rand()));
$modelo=$_POST['selectName'];
$serial=$_POST['serial'];
$nif=$_POST['nif'];
$iphone3g1=$_POST['iphone3g1'];
$iphone3g2=$_POST['iphone3g2'];
$iphone3g3=$_POST['iphone3g3'];
$iphone3g4=$_POST['iphone3g4'];
$iphone3gs1=$_POST['iphone3gs1'];
$iphone3gs2=$_POST['iphone3gs2'];
$iphone3gs3=$_POST['iphone3gs3'];
$iphone3gs4=$_POST['iphone3gs4'];
$iphone41=$_POST['iphone41'];
$iphone42=$_POST['iphone42'];
$iphone43=$_POST['iphone43'];
$iphone44=$_POST['iphone44'];
$total=$_POST['total'];
$valor=$_POST['valor'];
$nome=$_POST['nome'];
$apelido=$_POST['apelido'];
$postal=$_POST['postal'];
$morada=$_POST['morada'];
$notas=$_POST['notas'];
$sql="INSERT INTO clientes (postal, morada, nome, apelido, name, serial, iphone3g1, iphone3g2, iphone3g3, iphone3g4, total, valor, iphone3gs1, iphone3gs2, iphone3gs3, iphone3gs4, iphone41, iphone42, iphone43, iphone44, nif, codigounico, Notas)VALUES('$postal', '$morada', '$nome', '$apelido', '$modelo', '$serial', '$iphone3g1', '$iphone3g2', '$iphone3g3', '$iphone3g4', '$total', '$valor', '$iphone3gs1', '$iphone3gs2', '$iphone3gs3', '$iphone3gs4', '$iphone41', '$iphone42', '$iphone43', '$iphone44', '$nif', '$codigounico', '$notas')";
$result=mysql_query($sql);
This is a very dificult code to maintain,
can I make my life easier?

To restrict which POST variables you "import", you can do something like:
$post_vars = array('iphone3g1', 'iphone3g2', '...');
foreach($post_vars as $var) {
$$var = mysql_real_escape_string($_POST[$var]);
}
EDIT: Changed addslashes by mysql_real_escape_string (thanks #Czechnology).

The issue I see is repetition of the same names four times over. This is how I would reduce it to two occurrences (you could drop it to one with more finagling).
$sql = 'INSERT INTO clientes (postal, morada, nome, apelido, name, serial, iphone3g1, iphone3g2, iphone3g3, iphone3g4, total, valor, iphone3gs1, iphone3gs2, iphone3gs3, iphone3gs4, iphone41, iphone42, iphone43, iphone44, nif, codigounico, Notas) VALUES(:postal, :morada, :nome, :apelido, :modelo, :serial, :iphone3g1, :iphone3g2, :iphone3g3, :iphone3g4, :total, :valor, :iphone3gs1, :iphone3gs2, :iphone3gs3, :iphone3gs4, :iphone41, :iphone42, :iphone43, :iphone44, :nif, :codigounico, :notas)';
preg_match_all('/:(\w+)/', $sql, $inputKeys);
$tokens = $inputKeys[0];
$values = array_map($inputKeys[1], function($k){
return mysql_real_escape_string($_POST[$k]);
});
$sql = str_replace($tokens, $values, $sql);
$result = mysql_query($sql);
Depending on how you want to separate your logic, a reversed approach might be more useful, where you would specify the array of key names and iterate over that to generate the SQL string.
<?php
$inputKeys = array('postal', 'morada', 'nome', 'apelido', 'name', 'serial', 'iphone3g1', 'iphone3g2', 'iphone3g3', 'iphone3g4', 'total', 'valor', 'iphone3gs1', 'iphone3gs2', 'iphone3gs3', 'iphone3gs4', 'iphone41', 'iphone42', 'iphone43', 'iphone44', 'nif', 'codigounico', 'Notas');
$keyList = '(' . implode(',', $inputKeys) . ')';
$valueList = 'VALUES (';
foreach ($inputKeys as $k) {
$valueList .= mysql_real_escape_string($_POST[$k]);
$valueList .= ',';
}
$valueList = rtrim($valueList, ',');
$valueList .= ')';
$sql = 'INSERT INTO clientes '.$keyList.' '.$valueList;
$result = mysql_query($sql);
This approach drops the occurrences of the keys to one and will probably more naturally with your application.

TuteC had a good aim but failed in details.
It makes me wonder, why noone has a ready made solution, but had to devise it on-the-fly. Nobody faced the same problem before?
And why most people trying to solve only part of the problem, getting variables only.
The goal is not to get variables.
The goal is to get a query. So, get yourself a query.
//quite handy way to define an array, saves you from typing zillion quotes
$fields = explode(" ","postal morada nome apelido name serial iphone3g1 iphone3g2 iphone3g3 iphone3g4 total valor iphone3gs1 iphone3gs2 iphone3gs3 iphone3gs4 iphone41 iphone42 iphone43 iphone44 nif codigounico Notas");
$sql = "INSERT INTO clientes SET ";
foreach ($fields as $field) {
if (isset($_POST[$field])) {
$sql.= "`$field`='".mysql_real_escape_string($_POST[$field])."', ";
}
}
$sql = substr($set, 0, -2);
This code will create you a query without boring repeating the same field name many times.
But that's still not all improvements you can make.
A really neat thing is called a function.
function dbSet($fields) {
$set = '';
foreach ($fields as $field) {
if (isset($_POST[$field])) {
$set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
}
}
return substr($set, 0, -2);
}
put this function into your code library being included into all your scripts (you have one, don't you?)
and then use it for both insert and update queries:
$_POST['codigounico'] = md5(uniqid(rand()));//a little hack to add custom field(s)
if ($action=="update") {
$id = intval($_POST['id']);
$sql = "UPDATE $table SET ".dbSet($fields)." WHERE id = $id";
}
if ($action=="insert") {
$sql = "INSERT $table SET ".dbSet($fields);
}
So, your code become extremely short and reliable and even reusable.
The only thing you have to change to handle another table is $fields array.
It seems your database is not well planned as it contains seemingly repetitive fields (iphone*). You have to normalize your database.
The same approach to use with prepared statements can be found in this my question: Insert/update helper function using PDO

You could use a rather ugly part of PHP called variable variables, but it is generally considered a poor coding practice. You could include your database escaping at the same time. The code would look something like:
foreach($_POST as $key => $value){
$$key = mysql_real_escape_string($value);
}
The variable variables manual section says they do not work with superglobals like $_PATH, but I think it may work in this case. I am not somewhere where I can test right now.

PHP: extract
Be careful though and make sure you clean the data before using it.

$set = array();
$keys = array('forename', 'surname', 'email');
foreach($keys as $val) {
$safe_value = mysqli_escape_string($db, $_POST[$val]);
array_push($set, "$val='$safe_value'");
}
$set_query = implode(',', $set);
Then make your MySQL query something like UPDATE table SET $set_query WHERE... or INSERT INTO table SET $set_query.
If you need to validate, trim, etc, do it before the above code like this:
$_POST["surname"] = trim($_POST["surname"];

Actually, you could make your life easier by making your code a bit more complicated - escape the input before inserting into the database!
$sql =
"INSERT INTO clientes SET
"postal = '" . mysql_real_escape_string($_POST['postal']) . "', ".
"morada = '" . mysql_real_escape_string($_POST['morada']) . "', ".
...

First, I recommend you to create a key-value array like this:
$newClient = array(
'codigounico' => md5(uniqid(rand())),
'postal' => $_POST['postal'],
'modelo' => $_POST['selectName'],
...
);
In this array key is the column name your MySQL table.
In the code you've provided not every field is copied right from POST array (some are calculated, and some keys of the POST aren't equal with the tables column names), so you should use a flexible method.
You should still specify all columns and values but only once so code is still maintainable and you won't have any security errors if someone sends you a broken POST. As for me it looks more like configuration than coding.
Then I recommend you to write a function similar to this:
function buildInsertQuery($tableName, $keyValue) {
$result = '';
if (!empty($keyValue)) {
$delimiter = ', ';
$columns = '';
$values = '';
foreach ($keyValue as $key => $value) {
$columns .= $key . $delimiter;
$values .= mysql_real_escape_string($value) . $delimiter;
}
$columns = substr($columns, 0, -length($delimiter));
$values = substr($values, 0, -length($delimiter));
$result = 'INSERT INTO `' . $tableName . '` (' . $columns . ') VALUES (' . $values . ')';
}
return $result;
}
And then you can simply build your query with just one function call:
$query = buildInsertQuery('clientes', $newClient);

print out index of array, as well as value of each index

I have the array $student[]
<?php
$student['id'] = "10402";
$student['hnumber'] = "H030502";
$student['name'] = "Larry Wayne";
print_r($student);
?>
It prints out:
Array ( [id] => 10402 [hnumber] => H030502 [name] => Larry Wayne )
What I want to accomplish is storing values into an array, that will then be inserted into a database table.
So the insert statement would be:
$q = "insert into table (id, hnumber, name) VALUES ('10401', 'H030502', 'Larry Wayne')";
I want to use an array to store all the values into it, labeling each value by their table field name, because it will be about 25 fields I will be inserting data into.
If there is a better way of accomplishing that, I am all ears.
Thanks in advance.

Assuming you are building an array of students from another source, how about something like this?
// data from an external source
$students = array(
// student 1
array(
123,
'h123',
'John Smith',
),
// student 2
array(
456,
'h456',
'Jane Smith',
),
// ... and so on
);
$values = array();
foreach ( $students as $student )
{
// #todo, make sure to sanitize values!!!
$values[] = sprintf('(%s)', implode(', ', $student));
}
// build query
$query = 'INSERT INTO `table` (`id`, `hnumber`, `name`) VALUES '.implode(', ', $values);
Please note, above code is "pseudo" or an idea if you want. Make sure to sanitize the values :)
EDIT: One more thing. Above code is good if you want a simple fix, preferably for some sort of simple data import. Better way is to create a class Student handling all this logic.

I wanted to simply comment on David's example as it's pretty much the same thing I was going to suggest, but I can't add code to comments, unfortunately. One thing David forgot from your original question was that you wanted to use the table fields as part of your array - in this example, as the key fields. In the foreach, you can split the array in to key/value pairs, and then use them later on in your code itself.
<?php
$student['id'] = "10402";
$student['hnumber'] = "H030502";
$student['name'] = "Larry Wayne";
$queryFields = array();
$queryValues = array();
$queryString = '';
foreach($student as $key => $value){
$queryFields[] = '`'.$key.'`';
$queryValues[] = $value;
}
$queryString = 'INSERT INTO `table` ('.implode(',', $queryFields).') VALUES ('.implode(',', $queryValues).')';
//run_query($queryString)
?>
Since I'm not 100% familiar with CodeIgniter, it's very possible that there might be a way to map arrays and/or objects to some sort of ActiveRecord implementation. However, since you're just looking for a way to generate a query string itself, this would do the trick.

form $_POST as an array

i noticed that when posting a form the fields come out as an array.
like if i do
if(isset($_POST['submit'])) {
print_r($_POST);
}
what i usually do for form fields is the following.
lets say i have something like this (this is how i usually do it)
<form method="POST" action="">
<label>First Name: </label>
<input type="text" name="fname">
<label>Last Name: </label>
<input type="text" name="lname">
<label>Phone: </label>
<input type="text" name="phone">
<input type="submit" name="submit" value="submit">
</form>
then i'll have (im excluding field validation to make it look clear)
if(isset($_POST['submit'])) {
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$phone = $_POST['phone'];
mysql_query("insert into table(fname,lname,phone) values('$fname','$lname','$phone')");
header("Location: gosomewhere.php");
}
since the post outputs are in an array format how else can i write this when im dealing with over 100 fields?
how are the big guys doing it out there? or how are you doing it?
edit: the most ive dealth with is around 60 fields. im building this cms that takes in alot of data per form to put together information from a customer.

I don't think I've ever seen anybody "dealing with over 100 fields" in a single form. If that is the case, you may consider a design-change that auto-saves portions of the data along the way. Form data will always submit itself into an array on the server-end, there's no way around this.
If you want to iterate over many fields all at once (suppose you are accepting multiple event-dates in your form), you could use the array-style naming-convention:
<input type="text" name="events[]" />
Once you access this data on the server end, you can iterate over it quickly in a simple loop:
foreach ($_POST["events"] as $event) {
echo $event;
}
I'm sorry if I missunderstood your question.

As Jonathan said, 100 fields in one form is way to much. But you can always build the SQL dynamically.
E.g:
if(isset($_POST['submit'])) {
// allow only entries that are database fields
$allow = array(/*whatever*/);
$fields = array();
$values = array();
foreach($_POST as $field => $value) {
if(in_array($field, $allow) {
// Do correct output escaping etc. here !!
$fields[] = $field;
$values[] = mysql_real_escape_string($value);
}
}
mysql_query('insert into table(' . join(',', $fields) . ' values(' . join(',', $values) . ')');
}
This assumes that your form fields names are the same as your DB column names.
If, as Cyro says, array_keys and array_values preserve order, then this can be done even nicer:
function clean($value, $field, &$params) {
if(in_array($field, $params['allow']) {
// custom validation goes here
$params['data'][$field] = mysql_real_escape_string($value);
}
}
if(isset($_POST['submit'])) {
// allow only entries that are database fields
$allow = array(/*whatever*/);
$params = array('allow' => $allow, 'data' => array());
array_walk($_POST, 'clean', $params);
if(!empty($params['data'])) {
mysql_query('insert into table(' . join(',', array_keys($params['data'])) . ' values(' . join(',', array_values($params['data'])) . ')');
}
}
See array_walk

If your form contains over 100 fields, I'd worry much more about the client side than the server side. Consider using something like jQuery UI Tabs to split the form up into multiple areas, separated using fieldsets, to enhance usability.
One way around the array issue would be to use something like PHP's extract function, but I wouldn't recommend this for security reasons, and because it wouldn't really make the data any easier to work with.

The best way of dealing with so many fields is to reduce the number of fields. No one wants to have to fill out scores of fields.
Failing that, PDO has much to offer by supporting prepared statements. One thing are parameters, which (unlike your sample code) aren't vulnerable to SQL injection. Parameters can also be used to more easily construct a query using values from an array.
$query = $db->prepare("INSERT INTO table (surname, given_name, main_phone, ...)
VALUES (:fname, :lname, :phone, ...)");
$values = array()
foreach($_POST as $key => $val) {
$values[':' + $key] = $val;
}
try {
$query->execute($values);
} catch (PDOException $exc) {
...
}
The list of column names can be defined elsewhere, or automatically generated, then imploded when creating the prepared statement.

If your form field names directly relate to your database table columns you can dynamically build your query from the $_POST array. From your example you could do:
$allowed_fields = array('fname', 'lname', 'phone');
foreach($_POST as $key => $value) {
// if this isn't an expected field (user-injection) ignore it
if(!in_array($key, $allowed_fields))
continue;
// do validation checks and data clean up here in a switch
$data[$key] = mysql_real_escape_string($value);
}
mysql_query("INSERT INTO table(`" . implode('`, `', array_keys($data)) . "`) VALUES('" . implode("', '", array_values($data)) . "')");
Really though, a form with 100+ fields is not something I would ever fill out and I don't believe I'm alone in that. Consider breaking it up into multiple steps as others have suggested or try re-approaching your initial design.

Categories