I'm trying to create a script to use PDO prepared statements to enter data from a post form using functions to perform the PDO required statements. But, it's not working. When I execute it, it enters null in all the fields.
I'm hoping someone can tell me why this is not working.
I think the functions output what PDO is looking for.
I'm not sure how to do this otherwise without writing a lot of code like
$site_name= $_POST['site_name'];
and entering all of that in the PDO statments. It seemed like it made sense to create the statements from the post array.
My code is included below and after that is some output I used to monitor what is going on that shows the output of the functions in the script.
Am I doing this all wrong. Is another approach that I haven't discovered?
Thanks
--Kenoli
<?php
if(isset($_POST['submit'])){
/** Establish DB connection. Not real data, of course. */
$conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
/** Remove empty $_POST elements. */
$insert_array = array_filter($_POST);
/** Whitelists input to identify columns to which changes are allowed */
$whitelist = array('site_name' =>'', 'site_address' =>'', 'description' =>'', 'surface' =>'', 'tio_contact' =>'', 'site_contact' =>'', 'contact_phone' =>'', 'contact_email' =>'', 'contact_date' =>'', 'comments' =>'');
$insert_array = array_intersect_key($insert_array,$whitelist);
/************/
/** Create query from $insert_array. */
foreach($insert_array as $key => $value) {
$col .= $key . ', ';
$val .= ':' .$key . ', ';
}
/** Remove ', " from end of each array. */
/* For use with update actions to prevent deleting data from fields that contain data. */
$col = substr_replace($col ,"",-2);
$val = substr_replace($val ,"",-2);
$sql = "INSERT INTO Sites ($col) VALUES ($val)";
/* The result is: INSERT INTO Sites (site_name, site_address, description, contact_phone) VALUES (:site_name, :site_address, :description, :contact_phone)*/
/************/
/** Prepared statement functions */
$stmt = $conn->prepare($sql);
foreach($insert_array as $key => $value) {
$param = ':' . $key;
$stmt->bindParam($param, $$value);
echo '$' . "stmt->bindParam($param, $$key)<br>"; // Monitor output
}
foreach($insert_array as $key => $value) {
$$key = $value;
echo "$$key = $value<br>"; // Monitor output
}
$stmt->execute(); // Execute insert
?>
The result with dummy data:
$insert_array
(
[site_name] => asdfasdf
[site_address] => Asdffads
[description] => Asdfs
[contact_phone] => Asdfsdaf
)
Here is the prepared statement:
INSERT INTO Sites (site_name, site_address, description, contact_phone) VALUES (:site_name, :site_address, :description, :contact_phone)
$stmt->bindParam(:site_name, $site_name)
$stmt->bindParam(:site_address, $site_address)
$stmt->bindParam(:description, $description)
$stmt->bindParam(:contact_phone, $contact_phone)
$site_name = asdfasdf
$site_address = Asdffads
$description = Asdfs
$contact_phone = Asdfsdaf
Everything looks right but NULLs are inserted in all fields.
