Question

我已经从互联网上复制并修改了一个脚本。该脚本最初从mysql表查询中删除了所选记录。我已修改脚本以使用insert into语句将所选记录插入到另一个表中。

我想知道如何将mysql数组中的所有选定记录插入到具有相同id的另一个表中。

逻辑与'orderdetails'表格相似。我希望订购的所有产品具有相同的订单号，以便它们共享一个共同的价值。

如何修改以下脚本以插入具有唯一编号的数组中的所有值？

<?php
mysql_connect("localhost", "user", "pass")or die("cannot connect");    
mysql_select_db("db")or die("cannot select DB");
$sql="SELECT * FROM category";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
?>
<table width="400" border="0" cellspacing="1" cellpadding="0">
<tr><td><form name="form1" method="post">
<table width="400" border="0" cellpadding="3" cellspacing="1" bgcolor="#CCCCCC">
<tr><td bgcolor="#FFFFFF">&nbsp;</td>
    <td colspan="4" bgcolor="#FFFFFF"><strong>Insert multiple rows in mysql</strong></td></tr>
<tr><td align="center" bgcolor="#FFFFFF">#</td>
    <td align="center" bgcolor="#FFFFFF"><strong>Category ID</strong></td>
    <td align="center" bgcolor="#FFFFFF"><strong>Category</strong></td></tr>
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr><td align="center" bgcolor="#FFFFFF"><input type="checkbox" name=check[]  value="
<?php echo $rows['cat_id']; ?>"></td>
<td bgcolor="#FFFFFF"><?php echo $rows['cat_id']; ?></td>
<td bgcolor="#FFFFFF"><?php echo $rows['category']; ?></td></tr>

<?php
}
?>
<tr><td colspan="3" align="center" bgcolor="#FFFFFF"><input name="delete" type="submit" id="delete" value="Delete"></td></tr>
<?php
$check=$_POST['check'];
if($_REQUEST['delete']=='Delete'){
  {
    $sql="INSERT INTO category1 (cat_id,category) 
             SELECT cat_ID, category 
             FROM category 
             WHERE cat_id='$val'";

    foreach($check as $key=>$value)
    {
      $sql="INSERT INTO category1 (cat_id,category) 
              SELECT cat_ID, category 
              FROM category 
              WHERE cat_id='$value'";
      $final = mysql_query($sql);
      if($final) {
        echo "<meta http-equiv=\"refresh\" content=\"0;URL=php.php\">";
      }
    } 
  }
}
// Check if delete button active, start this   
// if successful redirect to php.php

mysql_close();
?>
</table></form></td></tr></table>

Answer 1

您的代码有几个问题：

A-您有SQL注入漏洞：使用mysql_real_escape_string()
B-您可能存在XSS漏洞：使用htmlspecialchars来逃避您回显的所有$ vars C-当您仅使用字段select *时使用catID，category是完全废弃的。始终为您明确选择的字段命名。

请参阅：
How does the SQL injection from the "Bobby Tables" XKCD comic work?
What are the best practices for avoiding xss attacks in a PHP site
What is the reason not to use select *?

回答您的问题
我会使用类似

的代码

$check = $_POST['check'];
if (is_array($check)) {
  //simple test to see if an array is multi-dimensional.
  if (count($array) != count($array, COUNT_RECURSIVE)) 
  {
     //die("multidimensional array's are not allowed");
     //insert code to reask the array, or work around the issue.
     //you really should not use `die` in production code.
  } else {
  //escape what's inside the array, not the array itself.
  $check = array_walk($check, 'mysql_real_escape_string');
  $check = "'".implode("','",$check)."'"; //1,2,3 => '1','2','3'
} else { //not an array
  $check = "'".mysql_real_escape_string($check)."'";
}
//Inserts all $check's in one go.
$sql = "INSERT INTO category1 (cat_id,category) 
          SELECT cat_ID, category 
          FROM category 
          WHERE cat_id IN ($check) ";  //$check is already quoted.

从数组中将多行插入到具有唯一ID的表中

1 个答案: