0

The php code below get's the results from a form and inserts them into a table.

I have to used this table structure where each row corresponds to a different value from the form eg First Name.

I've written the code below but it's cumbersome. Can you help me with a better way? Thanks heaps!

$lists      = $_POST['form']['lists'][0];
$first_name = $_POST['form']['first_name'];
$last_name  = $_POST['form']['last_name'];
$idu        = $db->insertid();

$db->setQuery("INSERT INTO #__rsmail_subscriber_details (`IdList`, `FieldName`, 
`FieldValue`, `IdSubscriber`) VALUES ('" . $db->getEscaped($lists) . "', 'First Name'
, '" . $db->getEscaped($first_name) . "', '" . $db->getEscaped($idu) . "')");

$db->query();

$db->setQuery("INSERT INTO #__rsmail_subscriber_details (`IdList`, `FieldName`, 
`FieldValue`, `IdSubscriber`) VALUES ('" . $db->getEscaped($lists) . "', 'Last Name'
, '" . $db->getEscaped($last_name) . "', '" . $db->getEscaped($idu) . "')");

$db->query();
Improve this question
4
  • Just curious - why are setQuery and query separated into 2 functions Commented Jul 6, 2011 at 3:26
  • My guess: docs.joomla.org/… Commented Jul 6, 2011 at 3:36
  • Thanks heaps for the answer zerkms! Works great. I've just copied in the code from another site. How do I combine setQuery and query? Commented Jul 6, 2011 at 3:38
  • Did I just ask the most stupid question of the day? Commented Jul 6, 2011 at 4:06

2 Answers 2

Reset to default
8

You can perform bulk insert:

INSERT INTO table (field1, field2) VALUES ('val1', 'val2'), ('val3', 'val4'), ...

In your case it is something like:

$db->setQuery("INSERT INTO #__rsmail_subscriber_details (`IdList`, `FieldName`, 
`FieldValue`, `IdSubscriber`) VALUES ('".$db->getEscaped($lists)."', 'First Name'
, '".$db->getEscaped($first_name)."', '".$db->getEscaped($idu)."'), ('".$db->getEscaped($lists)."', 'Last Name'
, '".$db->getEscaped($last_name)."', '".$db->getEscaped($idu)."')");
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

To answer your SQL question:

INSERT INTO `table` (foo, bar)
         VALUES (1, 2),
                (3, 4),
                (5, 6),
                (7, 8)

In regards to your PHP code, burn it and start over. It reeks of security issues and bad practices.

Improve this answer

5 Comments

Uhm, which security issues?
@StackOverflowNewbie: XSS has nothing to do with databases.
Obvious direct DB insertion with $_POST data? You need to escape and bind variable if you are going to directly pipe it into the database in such manner.
@Aleksey Korzun: where do you see direct insertion?? He sanitized the data with $db->getEscaped() method, didn't he. And you're a little wrong, he need either escape or bind variables into a prepared statement.
Because we all know that if you use framework's escape methods you will never get exploited. There is no chance of mistakes in current or future revisions of the frame work. There is no chance of middle man attack overwriting that method within the package. And we also know that prepared statements are never needed if you already escaping $_POST data. /sarcasm.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.