Mysqli Insert Array using prepared Statements

[jargen]

Hey guys

 

Slightly lost on how to do this one. Im trying to make a function which will insert data into a MySQL table. But im trying to make it universal, so i can use the same function for any part of the application, so theres only one mysql query i need to secure, rather then hundreds across the entire site.

 

I know how i can make it go to the right table and such, my problem is how do i make it add the array of values to insert, when i have no idea how long it will be? 

 

Struggling to find a clear method online

[Jacques1]

This is going to make your security worse, not better, because generating entirely dynamic queries is a nontrivial task which has failed many times even in big projects.

 

My advice is: Just don't. If you find mysqli too cumbersome, switch to PDO.

[jargen]

This is going to make your security worse, not better, because generating entirely dynamic queries is a nontrivial task which has failed many times even in big projects.

 

My advice is: Just don't. If you find mysqli too cumbersome, switch to PDO.

 

My concern is simply the fact, that a new security feature will come out, or something which you are advised to add. Like when mysqli was added and preparing statements (Compared to just using escape string before). I could have potentially hundreds of queries to lock down instead of one.

 

What do you suggest in regards to that? 

[Jacques1]

mysqli was introduced 13(!) years ago, so it's not like they add a new feature every week. If you want your code to last many decades without ever being touched, web development isn't really the right industry.

 

The best you can probably do right now is use PDO. It's a universal database interface which covers all mainstream SQL systems, so it won't go away anytime soon.

[jargen]

Thanks for all the help mate, just re-coded it to PBO.