我已经从互联网上复制并修改了一个脚本。该脚本最初从mysql表查询中删除了所选记录。我已修改脚本以使用insert into语句将所选记录插入到另一个表中。
我想知道如何将mysql数组中的所有选定记录插入到具有相同id的另一个表中。
逻辑与'orderdetails'表格相似。我希望订购的所有产品具有相同的订单号,以便它们共享一个共同的价值。
如何修改以下脚本以插入具有唯一编号的数组中的所有值?
<?php
mysql_connect("localhost", "user", "pass")or die("cannot connect");
mysql_select_db("db")or die("cannot select DB");
$sql="SELECT * FROM category";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
?>
<table width="400" border="0" cellspacing="1" cellpadding="0">
<tr><td><form name="form1" method="post">
<table width="400" border="0" cellpadding="3" cellspacing="1" bgcolor="#CCCCCC">
<tr><td bgcolor="#FFFFFF"> </td>
<td colspan="4" bgcolor="#FFFFFF"><strong>Insert multiple rows in mysql</strong></td></tr>
<tr><td align="center" bgcolor="#FFFFFF">#</td>
<td align="center" bgcolor="#FFFFFF"><strong>Category ID</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Category</strong></td></tr>
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr><td align="center" bgcolor="#FFFFFF"><input type="checkbox" name=check[] value="
<?php echo $rows['cat_id']; ?>"></td>
<td bgcolor="#FFFFFF"><?php echo $rows['cat_id']; ?></td>
<td bgcolor="#FFFFFF"><?php echo $rows['category']; ?></td></tr>
<?php
}
?>
<tr><td colspan="3" align="center" bgcolor="#FFFFFF"><input name="delete" type="submit" id="delete" value="Delete"></td></tr>
<?php
$check=$_POST['check'];
if($_REQUEST['delete']=='Delete'){
{
$sql="INSERT INTO category1 (cat_id,category)
SELECT cat_ID, category
FROM category
WHERE cat_id='$val'";
foreach($check as $key=>$value)
{
$sql="INSERT INTO category1 (cat_id,category)
SELECT cat_ID, category
FROM category
WHERE cat_id='$value'";
$final = mysql_query($sql);
if($final) {
echo "<meta http-equiv=\"refresh\" content=\"0;URL=php.php\">";
}
}
}
}
// Check if delete button active, start this
// if successful redirect to php.php
mysql_close();
?>
</table></form></td></tr></table>
答案 0 :(得分:1)
您的代码有几个问题:
A-您有SQL注入漏洞:使用mysql_real_escape_string()
B-您可能存在XSS漏洞:使用htmlspecialchars来逃避您回显的所有$ vars
C-当您仅使用字段select *时使用catID,category是完全废弃的。始终为您明确选择的字段命名。
请参阅:
How does the SQL injection from the "Bobby Tables" XKCD comic work?
What are the best practices for avoiding xss attacks in a PHP site
What is the reason not to use select *?
回答您的问题
我会使用类似
$check = $_POST['check'];
if (is_array($check)) {
//simple test to see if an array is multi-dimensional.
if (count($array) != count($array, COUNT_RECURSIVE))
{
//die("multidimensional array's are not allowed");
//insert code to reask the array, or work around the issue.
//you really should not use `die` in production code.
} else {
//escape what's inside the array, not the array itself.
$check = array_walk($check, 'mysql_real_escape_string');
$check = "'".implode("','",$check)."'"; //1,2,3 => '1','2','3'
} else { //not an array
$check = "'".mysql_real_escape_string($check)."'";
}
//Inserts all $check's in one go.
$sql = "INSERT INTO category1 (cat_id,category)
SELECT cat_ID, category
FROM category
WHERE cat_id IN ($check) "; //$check is already quoted.