2

I have a question about how I can save different value in order if I GET 1 row in php.

For example, if I have like:

*Feder|100|50|10|5|9|0|0|0|0|0|0 PHP LINE

I need to save this row in the table like:

----------------------------------------------
name | score | status | point | level | bla | bla | bla....
----------------------------------------------
Feder| 100   | 50     |   10  |  5    |  0  | 0......
-------------------------------------------------

Now, I use easy method to get something in the database like:

   $sql="INSERT INTO user (name, score, status)
        VALUES
        ('$name','$score','$status')";
        mysqli_query($con,$sql);

With this, when I get the value, I use like:

save.php?name=feder&score=100&status=50

But if I have to insert 40 values, will this be very hard? I think is possible to make easy, but I don't have any idea how I can do that... Someone know the best method to do this?

If I can use like: save.php?userdata=(all row)* is better...

Improve this question
1
  • 40 values - how and where? Do you mean you have 40 of these lines? 40 triple values on a line? If you present data you have to describe it. What are the '5|9|0|0|0|0|0|0'? Or is your issue just "How do I pass a large number of values in the URL?" Please edit your question. Commented Jan 31, 2014 at 7:45

2 Answers 2

Reset to default
2

What you ask for is not recommended for security reasons. It's one of the biggest no-nos to trust GET contents and put it straight into an SQL query.

But.

Of course you can foreach the variable $_GET like this:

$x="";
foreach($_GET as $key=>$val) {
    $x.=" $key = '$val', ";
}
$sql = "insert into myTable set $x";

This is just the principle of it. You should ALWAYS check for the field names and values to avoid injection attacks. So a better approach would be like:

$isValid = array("name"=>1,"score"=>1,"status"=>1);
$x="";
foreach($_GET as $key=>$val) {
    if(!$isValid[$key]) continue; // skip unknown fields!
    $val = stripslashes($val); // remove magic quote junk
    $val = mysql_real_escape_string($val); // protect mysql from attacks
    $x.=" $key = '$val', "; // build the query
}
$sql = "insert into myTable set $x";

UPDATE

If you get all the values in one string like "aaa|bbb|ccc", you can use explode() to parse them into one array. But then you rely on the order of fields which is not a good practice. I'd recommend to always prefer "field1=aaa&field2=bbb" style.

Hope this helps. Think about the risks and find your own way.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

thank you for the answer, but i don't really understand how works this script for insert the value.... $x=""; will be $x="|";? and the script follow the rule of the order? I am worried about the injection... if I use this code, I need to send the GET like this? save.php?userdata=(all row)*, and the $val is my string? thank you very much, I am new about this topic...
I updated the answer. You can use explode() to parse your string into an array. Maybe I misunderstood something. You have a fixed order of fields and you receive only one string in a GET variable? What's a typical GET request that your script is called with?
@dkellner The user is using mysqli; surely you can use parameterized queries instead of the hardly safe stripslashes and mysql_* function.. not to mention, mysql_real_escape_string requires a mysql_* resource.. mysqli is not a substitute.
Thank you everybody, I need to save some data from my application, and I can use just the _GET like the link "save.php?value1=aa&value2=3..." for don't repeat the same script 40 times (in my first post) I have the order of the table, and the order of the string...my question was if is possible to use one time the script to save the value in all row from my single string... how I can make sure the code? I am a little bit confusing about this topic... thank you!!!
0

You said 40 row. You have to remember that the limitation of length of an URL. So the suitable way is to use POST method through a HTML form. Taking care in multible fields naming by adding [] to the field name:

<form method="post" action="some.php">
<input type="text" name="name[]" />
<input type="text" name="score[]" />
...
</form>

and from your PHP

for ($i = 0; $i < count($_POST['name']); $i++){
$name = $_POST['name'][$i];
$score = $_POST['score'][$i];
$status = $_POST['status'][$i];
$sql="INSERT INTO user (name, score, status)
        VALUES
        ('$name','$score','$status')";
        mysqli_query($con,$sql); 
}

Notice: This answer is about the concept of inserting multiple records. It does not meant by the security of receiving data.

Improve this answer

10 Comments

What's bad in this practice?!
Let's see... how about the fact that its vulnerable to injection attacks.
I just talk about inserting multiple records in one process. Securing the input data is another story.
And since when is setting up the user for failure a good idea? It's not that difficult to secure the data in a reasonable amount of space in this answer. As said, propagating bad practice is never a good idea. At least the other answer attempts to solve this, even if wrongly.
Yes, I know... you suggest to update just the value I need? I mean, if the user edit something, I will upload just the call value (one by one), but if I will make that, I need to make a lot of php page for every value... will be crazy to make 100 page in php but more fast and sure? what do you think?? thank you :)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.