An7hony Posted August 21, 2013 Share Posted August 21, 2013 <?php $count = 0; $query2 = "SELECT EventFees_id, EventFees_item, EventFees_fee, EventFees_event FROM EventFees WHERE EventFees_event = '{$_GET['id']}'"; $result2 =mysql_query($query2) or die(mysql_error()); while(list($EventFees_id, $EventFees_item, $EventFees_fee, $EventFees_event) = mysql_fetch_array($result2, MYSQL_NUM)) { $EventFees_item2 = str_replace(' ', '', $EventFees_item); $EventFees_item_qty = mysql_real_escape_string($_POST[$EventFees_item2 = str_replace(' ', '', $EventFees_item)]); $merchData = array($EventFees_item2=>$EventFees_item_qty); ++$count; } $fields = ''; foreach($merchData as $col => $val) { if ($count++ != 0) $fields .= ', '; $col = mysql_real_escape_string($col); $val = mysql_real_escape_string($val); $fields .= "`$col` = $val"; } $query = "INSERT INTO `EventSignUps` SET ordered_dateStamp = NOW(), people_id = $people_id, event_id = $event_id, event_total = $event_total, order_auth = '1', payment_type = $payment_type, $fields;"; ?> produces : INSERT INTO `EventSignUps` SET ordered_dateStamp = NOW(), people_id = , event_id = 9, event_total = , order_auth = '1', payment_type = , , `Runners` = ; I need $merchData = array($EventFees_item2=>$EventFees_item_qty); to provide 2 records. Currently its only showing results for 1 Should look like: INSERT INTO `EventSignUps` SET ordered_dateStamp = NOW(), people_id = , event_id = 9, event_total = , order_auth = '1', payment_type = , `Walkers` = , `Runners` = ; I'm going somewhere wrong in the while loop. Its counting 2, but only showing results for 1 ? Quote Link to comment Share on other sites More sharing options...
An7hony Posted August 21, 2013 Author Share Posted August 21, 2013 (edited) if i change $merchdata to $merchdata[] $merchData[] = array($EventFees_item2=>$EventFees_item_qty); and then: $fields = ''; $merchData = $merchData[0]; foreach($merchData as $col => $val) { if ($count++ != 0) $fields .= ', '; $fields .= "`$col` = $val"; } ++$count; i get INSERT INTO `EventSignUps` SET ordered_dateStamp = NOW(), people_id = , event_id = 9, event_total = , order_auth = '1', payment_type = , `Ridders` = ; if i change it to: $merchData = $merchData[1]; i get INSERT INTO `EventSignUps` SET ordered_dateStamp = NOW(), people_id = , event_id = 9, event_total = , order_auth = '1', payment_type = , `Walkers` = ; Does anyone know how to get INSERT INTO `EventSignUps` SET ordered_dateStamp = NOW(), people_id = , event_id = 9, event_total = , order_auth = '1', payment_type = , `Walkers` =, `Ridders` = ; Edited August 21, 2013 by An7hony Quote Link to comment Share on other sites More sharing options...
Solution kicken Posted August 21, 2013 Solution Share Posted August 21, 2013 Change $merchData = array($EventFees_item2=>$EventFees_item_qty); to $merchData[$EventFees_item2] = $EventFees_item_qty; Quote Link to comment Share on other sites More sharing options...
wwwroth Posted August 21, 2013 Share Posted August 21, 2013 (edited) You're not sanitizing your database queries. Look at your first query where you insert a $_GET variable right into the SQL string. That means anything a user puts in that URL parameter goes right into your database. This can be devastating. Read more about it at the link below and here's how to solve that problem. Instead of... $query2 = "SELECT EventFees_id, EventFees_item, EventFees_fee, EventFees_event FROM EventFees WHERE EventFees_event = '{$_GET['id']}'"; Make it... $idUrl = mysql_real_escape_string($_GET['id']); $query2 = "SELECT EventFees_id, EventFees_item, EventFees_fee, EventFees_event FROM EventFees WHERE EventFees_event = '{$idUrl}'"; http://php.net/manual/en/security.database.sql-injection.php Edited August 21, 2013 by wwwroth Quote Link to comment Share on other sites More sharing options...
An7hony Posted August 25, 2013 Author Share Posted August 25, 2013 Brilliant. Made my day! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.