doulu4413 2013-12-13 21:19
浏览 72
已采纳

MSSQL:带有PHP数组的多个INSERT并回显数据

I have a form with the following structure:

<input type="text" name="projNo[1]" id="projNo[1]" value="<?php echo $row['ProjNo'
[1];>"
/>
<input type="text" name="projBudget[1]" id="projBudget[1]" value="<?php echo
$row['ProjBudget'][1]; ?>" />
<input type="text" name="projDateFrom[1]" id="projDateFrom[1]" value="<?php echo
$row['ProjDateFrom'][1]; ?>" />
<input type="text" name="projDateTo[1]" id="projDateTo[1]" value="<?php echo 
$row['ProjDateTo'][1]; ?>" />

<input type="text" name="projNo[2]" id="projNo[2]" value="<?php echo $row['ProjNo'
[2];>"
/>
<input type="text" name="projBudget[2]" id="projBudget[2]" value="<?php echo
$row['ProjBudget'][2]; ?>" />
<input type="text" name="projDateFrom[2]" id="projDateFrom[2]" value="<?php echo
$row['ProjDateFrom'][2]; ?>" />
<input type="text" name="projDateTo[2]" id="projDateTo[2]" value="<?php echo 
$row['ProjDateTo'][2]; ?>" />

There are two more groups like this with indexes 3 and 4. Upon submit, four separate records must be created in the DB if the user has filled in all four lines. My question is twofold: How would I structure my query to accomplish this? And: Have I set up my code correctly? When the form is loaded, I would like the correct output to be displayed. I've never been confronted with a request like this before, so I'm flying a bit blind.

  • 写回答

1条回答 默认 最新

  • doumie7914 2013-12-13 21:32
    关注

    Use PDO and prepared statements. Prepare a statement like this:

    $s = $db->prepare('INSERT INTO PROJECT (no, budget, from, to) VALUES (?,?,?,?)')

    Execute the statement for each set like this:

    for ($i = 1; $i<=4; $i++) {
    $s->execute(array($projNo[$i], $projBudget[$i], $projDateFrom[$i], $projDateTo[$i]));
}

    (You need to add error checking and validation. This includes something that loads the stuff from $_POST to the arrays I used in the above example.)

    Currently, you have a XSS security issue in your code. You cannot just echo stuff that comes from the user - you need to escape it. If you are putting it inside HTML, including double-quoted attribute values like in your case, use echo htmlspecialchars($_GET[...]);.

    You may want to create a "htmlout" function that does nothing else than echo htmlspecialchars, just to have a nicer, easier-to-write name for it, and use it everywhere. That way, you can search your code for instances of "echo", and unless you have protected them otherwise, this indicates you probably need to add some escaping.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 CST仿真别人的模型结果仿真结果S参数完全不对
  • ¥15 误删注册表文件致win10无法开启
  • ¥15 请问在阿里云服务器中怎么利用数据库制作网站
  • ¥60 ESP32怎么烧录自启动程序
  • ¥50 html2canvas超出滚动条不显示
  • ¥15 java业务性能问题求解(sql,业务设计相关)
  • ¥15 52810 尾椎c三个a 写蓝牙地址
  • ¥15 elmos524.33 eeprom的读写问题
  • ¥15 用ADS设计一款的射频功率放大器
  • ¥15 怎么求交点连线的理论解?