Question

不确定我做错了什么：尝试在POST中使用数组发布到第二个表 - 似乎我弄乱了我的数组？

下面的示例显示了我的php插入和我从sql print获得的输出，以及var_dump - 看起来我的POST数组没有为正确的元素设置？

PHP：

$sql = "insert into invoice_details (NULL, product, disc, cost, quantity, price) values";
for($i=0; $i<sizeof($_POST);$i++){
    if(($i+1) == sizeof($_POST)){
        $sql .="('$id','$_POST[$i][item_number]','$_POST[$i][item_name]','$_POST[$i][item_desc]','$_POST[$i][item_qty]','$_POST[$i][item_cost]','$_POST[$i][item_price]')";
    }else{
        $sql .="('$id','$_POST[$i][item_number]','$_POST[$i][item_name]','$_POST[$i][item_desc]','$_POST[$i][item_qty]','$_POST[$i][item_cost]','$_POST[$i][item_price]'),";
    }
}

$query1 = sprintf($sql);
print $query1;
//$result1 = mysql_query($query1);

POST的结果：

array(11) {
    ["address"]=> string(132) " MyStreet Drive MyCity, XY 12345 Phone: (000) 555-1212"
    ["customer"]=> string(46) "Customer Name Address 1 Address 2 Address 3"
    ["invoice"]=> string(8) "20170212"
    ["item_desc"]=> array(2) { 
        [0]=> string(40) "Business Rate: Consulting/Labor/Installs" 
        [1]=> string(43) "Residential Rate: Consulting/Labor/Installs"
    }
    ["item_cost"]=> array(2) { 
        [0]=> string(7) "$150.00"
        [1]=> string(6) "$95.00"
    }
    ["item_qty"]=> array(2) {
        [0]=> string(1) "3"
        [1]=> string(1) "3"
    }
    ["xdate"]=> string(0) ""
    ["sales"]=> string(0) ""
    ["owed"]=> string(0) ""
    ["deducted"]=> string(0) ""
    ["PHPSESSID"]=> string(26) "2rd71183clcia54mb5o0q35j13"
}

INSERT INTO invoice_details (NULL, product, disc, cost, quantity, price)
VALUES  ('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]'),
('29','[item_number]','[item_name]','[item_desc]','[item_qty]','[item_cost]','[item_price]')

Answer 1

不建议使用

mysql_ *函数，因为您打开了SQL注入。但是，可以通过在变量周围放置大括号来修复此特定问题：

for($i=0; $i<sizeof($_POST);$i++){
    if(($i+1) == sizeof($_POST)){
        $sql .="('$id','{$_POST[$i][item_number]}','{$_POST[$i][item_name]}','{$_POST[$i][item_desc]}','{$_POST[$i][item_qty]}','{$_POST[$i][item_cost]}','{$_POST[$i][item_price]}')";
    }else{
        $sql .="('$id','{$_POST[$i][item_number]}','{$_POST[$i][item_name]}','{$_POST[$i][item_desc]}','{$_POST[$i][item_qty]}','{$_POST[$i][item_cost]}','{$_POST[$i][item_price]}'),";
    }
}

我强烈建议您切换到PDO或mysqli并利用正确的预处理语句来修复这些问题以及SQL注入漏洞。

Answer 2

试试这个:(不要忘记逃避变量。）

$sql = "insert into invoice_details (NULL, product, disc, cost, quantity, price) values";

for ($i = 0; $i < count($_POST['item_desc']); $i++){
    $item_number = $_POST['item_number'][$i];
    $item_name = $_POST['item_name'][$i];
    $item_desc = $_POST['item_desc'][$i];
    $item_qty = $_POST['item_qty'][$i];
    $item_cost = $_POST['item_cost'][$i];
    $item_price = $_POST['item_price'][$i];

    $sql .="('{$id}','{$item_number}','{$item_name}','{$item_desc}','{$item_qty}','{$item_cost}','{$item_price}')";

    if(($i+1) < count($_POST['item_desc'])){
        $sql .= ',';
    }
}

$query1 = sprintf($sql);
print $query1;

将多POST数组插入MySql

2 个答案: