我已经构建了下面的数组,以插入从多行html表单传递到MYSQL数据库的多行。我遇到的问题是如何修改我已经构建的正确插入多行的内容。我在下面提供了代码和示例。
<?php
include 'connect.php';
$records= array(
'palid' => $_POST['LPN'],
'auditor' => $_POST['ANAME'],
'itnum' => $_POST['Part'],
'ordid' => $_POST['Order'],
'pckusr' => $_POST['Picker'],
'expected' => $_POST['Eaches'],
'actual' => $_POST['Actual']);
$keys = implode(', ', array_keys($records));
$col = array();
foreach ($records as $rowValues) {
foreach ($rowValues as $key => $rowValue) {
$rowValues[$key] = $rowValues[$key];
}
$col[] = "(" . implode(', ', $rowValues) . ")";
}
$query = "INSERT INTO audit ($keys) VALUES " . implode (', ', $col);
echo $query;
$result = mysqli_query($connection, $query) or die(mysqli_error($connection));
?>
echo $查询;显示下面的内容,它只是连接在一起的每列的所有三行的值,而不是连接在一起的每一行。
INSERT INTO audit(palid, auditor, itnum, ordid, pckusr, expected, actual) VALUES(0010070382, 0010070382, 0010070382), (aud01, aud01, aud01), (2616M, 2216T, 1216F), (5167-2, 5167-2, 5167-2), (LION, LION, LION), (30, 300, 402), (30, 300, 402)
因为它应该是这样的:
INSERT INTO audit(palid, auditor, itnum, ordid, pckusr, expected, actual) VALUES(0010070382, aud01, 2616M, 5167-2, LION, 30, 30), (0010070382, aud01, 2216T, 5167-2, LION, 300, 300), (0010070382, aud01, 1216F, 5167-2, LION, 402, 402)
当我使用var_dump($ records)时;数组传递了以下信息,但我还没有弄清楚如何将信息形成每个关联组以将这三行传递到我的MYSQL数据库。
array(7)
{
["palid"] => array(3)
{
[0] => string(10) "0010070382"
[1] => string(10) "0010070382"
[2] => string(10) "0010070382"
}
["auditor"] => array(3)
{
[0] => string(5) "aud01"
[1] => string(5) "aud01"
[2] => string(5) "aud01"
}
["itnum"] => array(3)
{
[0] => string(5) "2616M"
[1] => string(5) "2216T"
[2] => string(5) "1216F"
}
["ordid"] => array(3)
{
[0] => string(6) "5167-2"
[1] => string(6) "5167-2"
[2] => string(6) "5167-2"
}
["pckusr"] => array(3)
{
[0] => string(4) "LION"
[1] => string(4) "LION"
[2] => string(4) "LION"
}
["expected"] => array(3)
{
[0] => string(2) "30"
[1] => string(3) "300"
[2] => string(3) "402"
}
["actual"] => array(3)
{
[0] => string(2) "30"
[1] => string(3) "300"
[2] => string(3) "402"
}
}
答案 0 :(得分:2)
您应该使用prepared statements执行此操作,而不仅仅是将用户提供的信息限制在数据库查询中。这是一个非常糟糕的主意!试试这个PDO代码:
<?php
$db_name = "";
$db_user = "";
$db_pass = "";
$db = new PDO("mysql:host=localhost;dbname=$db_name", $db_user, $db_pass);
$stmt = $db->prepare("INSERT INTO audit(palid, auditor, itnum, ordid, pckusr, expected, actual) VALUES (?, ?, ?, ?, ?, ?, ?)");
// refactor the POST arrays
$recordcount = count($_POST["LPN"]);
for ($i = 0; $i < $recordcount; $i++) {
$records[] = [
$_POST["LPN"][$i],
$_POST["ANAME"][$i],
$_POST["Part"][$i],
$_POST["Order"][$i],
$_POST["Picker"][$i],
$_POST["Eaches"][$i],
$_POST["Actual"][$i],
];
}
foreach ($records as $record) {
$stmt->execute($record);
}
您正在为每个变量构建一个包含占位符?的查询。在循环中,执行该查询,用正确的值替换这些占位符。这也可以避免任何不安全的字符 - 使用现有代码,任何人都可以轻松地清除数据库。
答案 1 :(得分:-2)
@ miken32指出了避免sql注入的最重要元素之一,这是你应该使用的东西。但是,如果您只是好奇如何解决这个问题,这里有一个解决方案可以帮助您实施。
include 'connect.php';
$records= array(
'palid' => $_POST['LPN'],
'auditor' => $_POST['ANAME'],
'itnum' => $_POST['Part'],
'ordid' => $_POST['Order'],
'pckusr' => $_POST['Picker'],
'expected' => $_POST['Eaches'],
'actual' => $_POST['Actual']
);
$col = [];
$keys = [];
$valuesForInsert = [];
foreach ($records as $recordKey => $rowValues) {
$keys[] = $recordKey;
foreach ($rowValues as $key => $rowValue) {
$valuesForInsert[$key][] = $rowValues[$key];
}
}
foreach ($valuesForInsert as $rowValue) {
$col[] = "(".implode(', ', $rowValue).")";
}
$query = "INSERT INTO audit ($keys) VALUES ".implode(', ', $col);
echo $query;