Inserting contents of html table into database

WebMachine · June 23, 2012, 11:52pm

I have a form that consists of a 9 x 9 table in which each cell contains an input box. I want to gather the contents of all the input boxes and insert each one, along with its row # and column # into a database. I have a stripped down version of what I am trying to do below:

<?php
require_once('inc/connect_db.php');

if (ISSET($_POST['submit'])) {
		
	for ($i = 1; $i <= 9; $i++) {
		for ($j = 1; $j <= 9; $j++) {
			$contents = $_POST['contents[$i][$j]'];
			
			$cell_query = "INSERT INTO cells (row, column, contents)
			VALUES ('$i', '$j', '$contents') ";
			
			$cell_result = mysql_query($cell_query, $mysql_link);
		}
	}
?>

<!DOCTYPE html>

<html>

<head>
<title></title>
</head>

<body>
	<form name="newForm" method="post" action="sample.php">
		<table>
			<?php	
				for ($i=1; $i<=9; $i++) {
					print("<tr>");
					for ($j=1; $j<=9; $j++) {
						print("<td><input type=\\"text\\" class=\\"contents\\" name=\\"contents[[$i][$j]]\\" /></td>");	
					}						
				        print("</tr>");
				}
			?>
			</table>
			<input type="submit" name="submit" value="Enter Game Values" id="submit" />
		</form>	
	
</body>

</html>

There are no problems with inserting other data including the row and column numbers into the database. I just can’t figure out how to capture the grid of input values. Each input value is supposed to generate its own row in the database table.

Any suggestions? Am I on the right track?

frank1 · June 24, 2012, 12:28am

I didn’t get it.You are already capturing the data.(Ya model can be different but i think it will work)

One suggestion having 9x9 fields data entry form i bet your data entry operator will make mistakes in entry atleast 2 out of 4 times and verification after entry will be very time consuming so if possible divide the entry form.
Just a suggestion.

Thanks

chris_upjohn · June 24, 2012, 12:31am

From what i can tell the following is the problem.

$_POST['contents[COLOR=#ff0000][$i][$j][/COLOR]']

When you call an multidimensional array you need to call each index as a subsequent index for each step in the array that you go down, see the below code which does what you need.

$_POST['contents'][$i][$j]

WebMachine · June 24, 2012, 1:23am

Okay, that makes sense. But then in the form, how do I use the multi-dimensional array to pick up the values from my input boxes? I’m not sure what name to give the input box that will get the value and the two indices of the array element. I really don’t think the ‘name’ that I gave the box is right, but I wasn’t sure what else to do.

I know with checkboxes, you can give a name that is an array, such as name = =“item”. But how would that apply to a two-dimensional array?

By the way, I am trying to code a sudoku game just for fun, so there will be no data entry operator. This code is just part of the code I have to set up a game initially.

…

I changed the ‘name’ to the format you suggested also, and it works. I didn’t realize you could use that syntax in the html part of the form also. Thank you very much.

Serenarules · June 26, 2012, 5:20am

This…

$contents = $_POST['contents[$i][$j]'];

…should probably be…

$contents = $_POST['contents'][$i][$j];

…and this…

name=\\"contents[[$i][$j]]\\"

…should probably be…

name=\\"contents[$i][$j]\\"

In addition, I would probaly code the transaction like this…


$cell_query = "INSERT INTO cells (row, column, contents) VALUES ('%d', '%d', '%s') ";
$compiled_cell_query = sprintf($cell_query, $i, $j, $contents);
$cell_result = mysql_query($compiled_cell_query, $mysql_link);

…hope it helps.

WebMachine · June 26, 2012, 10:40am

Thanks, I got it working now. But could you please explain to me your line $compiled_cell_query …

It’s these finer points of php that I’m not sure of yet. Why did you use sprintf here?

Serenarules · June 26, 2012, 3:24pm

Sure. I suggested it just so you would ask this question.

SQL injection is when somebody inputs a malformed value into a form submission box on a webpage, knowing that the data will be send through an sql statement. Usually done in such a way as to destroy, or cause havoc with a website. To be fair, my example was a bit incomplete. It was late and I was tired.

Consider:


// simulate a form posted value
$searchCriteria = "bob";

// asssemble a query
$sql = "select * from people where name = $searchCriteria";

While the above will work, consider the alternative:


// simulate a form posted value
$searchCriteria = "bob; drop table people";

// asssemble a query
$sql = "select * from people where name = $searchCriteria";

The ; character delimits sequential sql statements. The user just deleted your people table.

sprintf alone will not handle all situations. I used it to get your attention. The sprintf syntax %d, for example, doesn’t just substitute values in, it casts them, so the value ‘1; drop table people’ becomes merely ‘1’, a decimal. It doesn’t do anything really for strings though. For strings, you’ll need to run them through mysql_real_escape_string() before combining them with the query. If your needs are simple, this is usually enough. But as you grow, or your needs change (say mysql to sqlite) you may find an abstraction layer more to your liking. I would take a look at the PDO extension. I was recently introduced to this myself, and am in the process today of recoding some of my core classes to use it.

WebMachine · June 26, 2012, 3:38pm

Thanks for the excellent explanation. I only know the basics of sql injection, so that was very helpful. I took a couple of classes in php where we were taught to use addslashes and stripslashes to avoid sql injection, but I guess that was pretty simplistic and doesn’t always do the trick.