1

Can some one point me in the right direction/website here

Is there a way in PHP how you can update a particular table dynamically by comparing the field name from the FORM and the column_name from the database.

e.g

INPUT name="email_address"

and

Database Column name is email_address

I found something but is not so flexible in my opinion...

Improve this question
1
  • 1
    it seems unsecure. what is the reason to do so? Commented May 23, 2011 at 13:01

2 Answers 2

Reset to default
4

I have something similar in place and it's really stable.

All you have to do is to get the coloumns from your table, and generate your input fields dynamically Then, when it's posted back, implode everything, into a string. Check if the coloumn names received matches the ones in your table and implode also the values. Add_slashes and escape any quotes or other possible sql injection characters.

The following code is the one I use for a MASSIVE project/s.

$postvars = $_POST;
 $q = "replace into `".$opertable."`
    (
    `".(implode('`,`',(remove__v(array_keys($postvars)))))."`)
        values
    (
    '".(implode('\',\'',$postvars))."')";

remove__v removes some validation techniques and submit buttons etc with the function below

function removeObj($array) {
  foreach($array as $key => $value) {
    if (substr_count($key,'obj__')) unset($array[$key]);
  }
  return $array;
}

all my input buttons are named as obj__*

Hope you get the idea.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

It should be possible to just get they key from the POST super-global, but consider the security risks involved. Remember that the form is being submitted by your user, he could easily create a fake input field called rights, and give himself administrator rights!

If you still want to go with it, the solution is simple. Loop over post, getting the key and value and appending it to the SQL query; as such:

$sql = "UPDATE user SET ";
foreach($_POST as $key => $value)
    $sql .= $key . " = " . $value . ',';

$sql = substr($sql,0,-1);       //Remove the last comma
Improve this answer

6 Comments

this function is only intended for the backend part of the website in which admins have access to login...
Then go ahead with it, thats a perfect example of taking shortcuts to save precious time! Just make sure you know the risks.
Yes yes that was taken into consideration. I will also include the table name as a input type hidden to be included into this function.. so its even more flexible and dynamic Thanks for the time :D
Its not intended to be copy pasted, you'd have to use your head to use it in a real world scenario.
Oliver is right the submit and hidden buttons will also be submitted.. so I would go for his opinion.. But Thanks anyways it was a kickstart anyway. Thanks guys
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.