How to use mysqli_real_escape_string with arrays ?

Question

sashiksu 0 Light Poster

6 Years Ago

Recently I'm trying to pass text boxes , radio buttons and checkboxes vaues to database. For that for the clear understanding I'll provide simple way of form.

<form method="post">
            <input type="text" name="KKK"><br>
            <input type="text" name="val[]"><br>
            <input type="text" name="val[]"><br>
            <input type="text" name="val[]"><br>
            <input type="radio" class="form-check-input" value="new" name="val[]">New
            <input type="radio" class="form-check-input" value="recondition" name="val[]">Reconditioned
            <input type="radio" class="form-check-input" value="used" name="val[]">Used<br>
            <select class="form-control" name="val[]">
                <option>Convertible</option>
                <option>Coupe / Sports</option>
                <option>Hatchback</option>
                <option>MPV</option><option>Saloon</option>
                <option>Station Wagon</option>
                <option>SUV / 4x4</option> 
            </select><br>

            <input type="submit" name="sub" value="send !">
        </form>

You see except first textbox other input elements' values should be pass through array. I echo those values without problem. So there is no error in form code. What I need is perform mysqli_real_escape_string function on 'val'. For that i used following php code snip..

<?php
        require('./exec/connect.php');
        if(isset($_POST['sub']))
        {

            $myarr[]=mysqli_real_escape_string($con,$_POST['val']);
            for($i=0; $i<5; $i++){
                //echo "The number is " . $_POST['val'][$i] . "<br>";

            }
        }
        ?>

In above I got error message saying that : Warning: mysqli_real_escape_string() expects parameter 2 to be string, array given

I really want to inspect code before it insert to database. I comented echo line because furthor I also wanted to help from you guys to insert read array to database as 6 rows.
Database table is structure is ID | values

html-css mysql php

2 Contributors
4 Replies
4K Views
6 Days Discussion Span
Latest Post 6 Years Ago Latest Post by alan.davies

alan.davies 185 What's this?

6 Years Ago

I'm assuming you mean this:

        if(isset($_POST['sub']))
        {
            $myarr[]=mysqli_real_escape_string($con,$_POST['val']);
            for($i=0; $i<5; $i++){
                //echo "The number is " . $_POST['val'][$i] . "<br>";
            }
        }

If I had to do it...

$cleanArray = [];
foreach( $_POST['val'] as $val )
    $cleanArray[] = mysqli_real_escape_string( $con, $val );
//check
print_r( $cleanArray );

sashiksu commented: great ! what happen if I use for loop instead foreach +1

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

alan.davies 185 What's this? · Answer 1 · 2018-07-11T14:33:30+00:00

Heed the warning. You've got val[] (array) as a name in your form so the resulting superglobals will also be an array. You can't sanitize an array like that. Your markup logic seems a little suspect. You shouldn't need to throw everything into an array like that. You may benefit from using prepared statements. This obviates the need for explicit sanitising.

sashiksu 0 Light Poster · Answer 2 · 2018-07-11T16:42:05+00:00

can you explain how to use above array in php ? I tried with many references like adding
[] to end of php variable and many ways. but nothing give correct respond :/

alan.davies 185 What's this? · Answer 3 · 2018-07-17T12:38:01+00:00

Do you need to limit yourself? OK:

$limit = 5;
$cleanArray = [];
for( $i = 0; $i < $limit; $i++ )
{
    if(isset($_POST['val'][$i])){
            $val = $_POST['val'][$i];
            $cleanArray[] = mysqli_real_escape_string( $con, $val );
    }
}   
//check
print_r( $cleanArray );

A disadvantage with this is that if you change the html (name), you will need to change this snippet too. Also if you use checkboxes and they are not checked, that data will not be sent so the number of val[] items posted to the server will be less than those printed in the form.
This can all get very messy very soon. Hence, my warning about using this type of approach.
Your radiobuttons would usually have a numeric value attached to the "value", e.g. the id of the item stored in the DB (are you using a DB?!). Anyway, your project, not mine.