send array[] from php to mysql

[unasemana]

im working on a project but first i would to understand one thing.

i have 2 input type text field with name="firstname[]" as an array (in the example im working with no jquery but it will be generated dinamically with it) and cant make it to mysql.

here is what i have: index.php

<html>

<body>


<form action="insert.php" method="post">

Firstname: <input type="text" name="firstname[]"> <br>

Firstname 2: <input type="text" name="firstname[]">

<input type="submit">

</form>


</body>

</html>

insert.php

<?php

$con=mysqli_connect("localhost","inputmultiplicad","inputmultiplicado","inputmultiplicado");

// Check connection

if (mysqli_connect_errno())

{

echo "Failed to connect to MySQL: " . mysqli_connect_error();

}





$sql="INSERT INTO input_field (firstname)

VALUES

('$_POST[firstname]')";


if (!mysqli_query($con,$sql))

{

die('Error: ' . mysqli_error($con));

}

echo "1 record added";


mysqli_close($con);

?>

the question is: how can i send the firstname[] array to the mysql database?

[ginerjm]

First you need to sanitized/validate your input before attempting to place it in your db.

To extract the array values from your POST array:

 

$values = '';
foreach($_POST['firstname'] as $nm)
{
   if ($values == '')
       $values .= "VALUE ('$nm')";
   else
        $values .= ",('$nm')";
}

 

Then modify your query statement to use $values in place of your existing values, etc. 

Edited March 6, 2014 by ginerjm

[unasemana]

will read it and try to understand what you wrote...thanks for your replay 

[ginerjm]

oops - just noticed a typo.  The keyword in my code should be 'VALUES' not 'VALUE'

[sKunKbad]

If you want to store the firstnames as an array, you can use php's serialize function. This isn't recommended though. Ideally you would adhere to best practices concerning database normalization.

[Psycho]

No need to loop through the array. Here's an easier solution - but I added a lot of validation logic as well:

//Run array_map() with trim to trim all the values
//Use array_filter() to remove empty values
$firstnames = array_filter(array_map('trim', $_POST['firstname']));
 
if(!count($firstnames))
{
    echo "No data to insert";
}
else
{
    //Connect to DB
    $con=mysqli_connect("localhost","inputmultiplicad","inputmultiplicado","inputmultiplicado");
    if (mysqli_connect_errno())
    {
        echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }
    //Use array_map() with mysql_real_escape_string() to sanitize values
    $firstnamesSQL = array_map('mysql_real_escape_string', $firstnames);
    //Implode the values into a string for the query
    $values = "('" . implode("'), ('", $firstnames) . "')";
    $sql = "INSERT INTO input_field (firstname) VALUES {$values}";
    if (!mysqli_query($con, $sql))
    {
        die('Error: ' . mysqli_error($con));
    }
    //Output success message
    echo count($firstnames) . " record(s) added";
    //Close DB connection
    mysqli_close($con);
?>

EDIT: I just noticed you are using mysqli - so you can't use mysql_real_escape_string and I don't think there is a comparable function for mysqli. You should instead use a prepared statement and insert each record individually. Prepared statements will alleviate a lot of the overhead with running queries in loops. Although, if you would be running hundreds of record at once even that needs to be considered.

Edited March 6, 2014 by Psycho

[QuickOldCar]

EDIT: I just noticed you are using mysqli - so you can't use mysql_real_escape_string and I don't think there is a comparable function for mysqli. You should instead use a prepared statement and insert each record individually. Prepared statements will alleviate a lot of the overhead with running queries in loops. Although, if you would be running hundreds of record at once even that needs to be considered.

 

mysqli_real_escape_string

[unasemana]

hi, thanks for your response,

 

I made it: this is working.

 

 

Why do you dont like serialize sKunBad?

 

What do you mean by : "prepared statement and insert each record individually" ? Pyscho

 

thanks for your asnwers

<?php
$con=mysqli_connect("localhost","inputmultiplicad","inputmultiplicado","inputmultiplicado");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
  
  


  
  


$data= $_POST['firstname'];
$values= serialize($data);
  
$sql="INSERT INTO input_field (firstname)
VALUES
('$values')";




if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";


mysqli_close($con);
?>

[Psycho]

@quickoldcar,

 

Thanks for the heads up ont he mysqli version of real_escape_string. I've been using PDO and when I did a search on php.net for "mysqli_real" it didn't find that function (but it does if I use "mysqli real" - no underscore).

 

 

 

What do you mean by : "prepared statement and insert each record individually" ? Pyscho

 

Prepared statements is a different way of constructing and executing queries which adds a lot of benefits. For example, when using a prepared statement properly you do not need to escape the data to prevent SQL Injection. Plus, if you use a 'prepared' query it can be reused without much of the overhead in running the query the first time. The database does some processing of a query before it is run. With a prepared statement it does that operation once and you can pass different variable to run the query again without the same overhead. I'll admit I don't really understand all of the details - and don't care to. But, prepared statements is definitely the right way to go. But, it will take some relearning and is not something anyone could cover in a forum post. You can do a search for some tutorials or guides. Then if you run into problems post back here.

[unasemana]

thank you all for your help

 

will read about prepared statements

 

thanks again