0

My code is:

if (isset($_POST['add'])) {
    $query = "INSERT INTO ".$dbPrefix."posts (`id`, `user`, `name`, `link`, `content`, `date`, `private`, `password`) VALUES (NULL, '$user', '$name', '$link', '$content', '$date', '$private', '$pass');";
    $mysqli->query($query) OR $status = 'Oprostite, pri dodajanju je prišlo do težave.';
    $id=$mysqli->insert_id;
    foreach ($_POST['categories'] as $category) {
        $categoryQuery.="INSERT INTO ".$dbPrefix."category_posts (`categoryID`, `postID`) VALUES ('".$category."','".$id."');";
    }
    $mysqli->query($categoryQuery) OR $status = $mysqli->error;
}
echo $status;

My variable $_POST is:

Array
(
    [name] => ((((((((((
    [description] => ))))))
    [keywords] => 
    [categories] => Array
        (
            [0] => 1
            [1] => 2
            [2] => 3
        )

    [private] => 0
    [password] => 
    [date] => 0
    [datetime] => 
    [add] => Dodaj
)

If I print the query and run it in phpMyAdmin there is no problem, otherwise it will display an error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'INSERT INTO fc_category_posts (`categoryID`, `postID`) VALUES ('2','116');INSERT' at line 1

Query is:

INSERT INTO fc_category_posts (`categoryID`, `postID`) VALUES ('1','116');
INSERT INTO fc_category_posts (`categoryID`, `postID`) VALUES ('2','116');
INSERT INTO fc_category_posts (`categoryID`, `postID`) VALUES ('3','116');
Improve this question
4
  • 4
    Seems like you can only pass one INSERT at the time. Commented Aug 23, 2016 at 14:16
  • how can customize the code that will work Commented Aug 23, 2016 at 14:18
  • You just need to change your loop code to this: foreach ($_POST['categories'] as $category) { $categoryQuery ="INSERT INTO ".$dbPrefix."category_posts (categoryID, postID) VALUES ('".$category."','".$id."');"; $mysqli->query($categoryQuery); } Commented Aug 23, 2016 at 14:20
  • 2
    You cannot run more than one query statement in a single query() call, as a basic defense mechanism against ONE form of sql injection attack, which your code is utterly vulnerable to. Commented Aug 23, 2016 at 14:24

2 Answers 2

Reset to default
4

If you can only pass the one INSERT then why not do it like this;

INSERT INTO fc_category_posts (`categoryID`, `postID`) 
VALUES ('1','116'),('2','116'),('3','116');

Saves you running multiple INSERT INTO statements.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Would be simpler to just move the query inside the loop in this case, rather than rewriting code to make this work
Could be, I'm a simple SQL guy so looked for the answer that way.
2

Just simply move the execution of the query inside the loop

if (isset($_POST['add'])) {
    $query = "INSERT INTO ".$dbPrefix."posts 
                   (`id`, `user`, `name`, `link`, `content`, `date`, 
                    `private`, `password`) 
               VALUES (NULL, '$user', '$name', '$link', '$content', '$date', 
                       '$private', '$pass');";

    $mysqli->query($query) OR $status = 'Oprostite, pri dodajanju je prišlo do težave.';
    $id=$mysqli->insert_id;
    foreach ($_POST['categories'] as $category) {

        //Note I have chnages `.=` to `=` in this statement
        $categoryQuery = "INSERT INTO ".$dbPrefix."category_posts 
                                   (`categoryID`, `postID`) 
                            VALUES ('$category','$id');";

        $mysqli->query($categoryQuery) OR $status = $mysqli->error;
    }

}
echo $status;

However Your script is at risk of SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared parameterized statements

In this senario it would also be useful for you to consider running these inside a transaction so that if one insert fails you wont leave the darabase in a mess The manual for mysqli::begin_transaction

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.