Page 1 of 1

Help! - Need alternative way of adding to database

Posted: Tue Jul 12, 2005 11:30 am
by mhouldridge
Hi,

My current way of adding data to database using a posting page to this script is as follows;

Code: Select all

$query = "INSERT INTO dedicated(asset, title, customer, type, serial, IP, IP2, IP3, IP4, IP5, IP6, IP7, IP8, IP9, IP10, location, os, oslicense, oemfull, processor, memory, motherboard, disksize, graphics, networkcard, software, software2, software3, software4, software5, software6, software7, software8, software9, software10, license, license2, license3, license4, license5, license6, license7, license8, license9, license10, software11, software12, software13, software14, software15, software16, software17, software18, software19, siftware20, license11, license12, license13, license14, license15, license16, license17, license18, license19, license20, value ) 
VALUES('".$_POST['asset']."','".$_POST['title']."','".$_POST['customer']."','".$_POST['type']."','".$_POST['serial']."','".$_POST['IP']."','".$_POST['IP2']."','".$_POST['IP3']."','".$_POST['IP4']."','".$_POST['IP5']."','".$_POST['IP6']."','".$_POST['IP7']."','".$_POST['IP8']."','".$_POST['IP9']."','".$_POST['IP10']."','".$_POST['location']."','".$_POST['os']."','".$_POST['oslicense']."','".$_POST['oemfull']."','".$_POST['processor']."','".$_POST['memory']."','".$_POST['motherboard']."','".$_POST['disksize']."','".$_POST['graphics']."','".$_POST['networkcard']."','".$_POST['software']."','".$_POST['software2']."','".$_POST['software3']."','".$_POST['software4']."','".$_POST['software5']."','".$_POST['software6']."','".$_POST['software7']."','".$_POST['software8']."','".$_POST['software9']."','".$_POST['software10']."','".$_POST['license']."','".$_POST['license2']."','".$_POST['license3']."','".$_POST['license4']."','".$_POST['license5']."','".$_POST['license6']."','".$_POST['license7']."','".$_POST['license8']."','".$_POST['license9']."','".$_POST['license10']."','".$_POST['software11']."','".$_POST['software12']."','".$_POST['software13']."','".$_POST['software14']."','".$_POST['software15']."','".$_POST['software16']."','".$_POST['software17']."','".$_POST['software18']."','".$_POST['software19']."','".$_POST['software20']."','".$_POST['license11']."','".$_POST['license12']."','".$_POST['license13']."','".$_POST['license14']."','".$_POST['license15']."','".$_POST['license16']."','".$_POST['license17']."','".$_POST['license18']."','".$_POST['license19']."','".$_POST['license20']."','".$_POST['value']."')";
$result = mysql_query($query);
mysql_close($db);

This looks like a messy way of doing things, here is a neater one that I am trying to get working, but failing to do so. Please help..

Code: Select all

$query = "INSERT INTO dedicated ".
"asset= \"".$_POST["asset"]."\",".
"title= \"".$_POST["title"]."\",".
"customer= \"".$_POST["customer"]."\",".
"type= \"".$_POST["type"]."\",".
"serial= \"".$_POST["serial"]."\",".
"os= \"".$_POST["os"]."\",".
"oslicense= \"".$_POST["oslicense"]."\",".
"oemfull= \"".$_POST["oemfull"]."\",".
"processor= \"".$_POST["processor"]."\",".
"memory= \"".$_POST["memory"]."\",".
"IP= \"".$_POST["IP"]."\",".
"disksize= \"".$_POST["disksize"]."\",".
"graphics= \"".$_POST["graphics"]."\",".
"networkcard= \"".$_POST["networkcard"]."\",".
"software= \"".$_POST["software"]."\",".
"software2= \"".$_POST["software2"]."\",".
"software3= \"".$_POST["software3"]."\",".
"software4= \"".$_POST["software4"]."\",".
"software5= \"".$_POST["software5"]."\",".
"software6= \"".$_POST["software6"]."\",".
"software7= \"".$_POST["software7"]."\",".
"software8= \"".$_POST["software8"]."\",".
"software9= \"".$_POST["software9"]."\",".
"software10= \"".$_POST["software10"]."\",".
"license= \"".$_POST["license"]."\",".
"license2= \"".$_POST["license2"]."\",".
"license3= \"".$_POST["license3"]."\",".
"license4= \"".$_POST["license4"]."\",".
"license5= \"".$_POST["license5"]."\",".
"license6= \"".$_POST["license6"]."\",".
"license7= \"".$_POST["license7"]."\",".
"license8= \"".$_POST["license8"]."\",".
"license9= \"".$_POST["license9"]."\",".
"license10= \"".$_POST["license10"]."\",".
"license11= \"".$_POST["license11"]."\",".
"license12= \"".$_POST["license12"]."\",".
"license13= \"".$_POST["license13"]."\",".
"license14= \"".$_POST["license14"]."\",".
"license15= \"".$_POST["license15"]."\",".
"license16= \"".$_POST["license16"]."\",".
"license17= \"".$_POST["license17"]."\",".
"license18= \"".$_POST["license18"]."\",".
"license19= \"".$_POST["license19"]."\",".
"license20= \"".$_POST["license20"]."\",".
"location= \"".$_POST["location"]."\",".
"value= \"".$_POST["value"]."\",".
"value2= \"".$_POST["value2"]."\",".
"motherboard= \"".$_POST["motherboard"]."\"";
mysql_query($query);
mysql_close($db);

Posted: Tue Jul 12, 2005 12:00 pm
by John Cartwright
There are a couple ways of handling this problem. I believe you are looking for something along these lins but I would probably have an array of pre-defined input field names to make sure everything is where it is supposed to. You should have some form of validation done aswell if you are taking content directly from a form -- just to be safe. Never trust any content coming from the outside world. :wink:

Code: Select all

$sql = 'INSERT INTO `dedicated` SET ';

$i = 0;
foreach ($_POST as $fieldname => $value) {
  if (!empty($_POST[$fieldname])) {
    $sql .= '`\''.$fieldname.'` = \''.mysql_real_escape_string($value).'\'';
    if (count($_POST) != $i ? $sql .= ', ', '');
  }
  $i++;
}

Posted: Tue Jul 12, 2005 12:45 pm
by timvw
I've already given this example... Usually it goes like this:

Code: Select all

$allowed = ('col1', 'col2', 'col3');

foreach($allowed as $col)
{
  if (isset($_POST[$col]))
  {
    // add to query
  }
}