News:

Wondering if this will always be free?  See why free is better.

Main Menu

php/mysql code help

Started by The Wizard, April 30, 2017, 11:34:49 AM

Previous topic - Next topic

The Wizard

Hello:

I have been away for a long time (real life stuff), and have forgotten  a lot of what I learned of php/mysql.
Below is the code I have been working on, and was hoping if someone could have a look at it and help make it smoother.
The code works I just know it could be better written.

Thanks

Wizard

Quote<?
// Server Info
   $servername   = "localhost";
   $username   = "username";
   $password           = "password";
   $dbname      = "dbname";

// Gets Guide Input Info and removes troubling apostrophes
   $series_name      = str_replace("'", " ", $_POST['series_name']);
   $number_of_series   = str_replace("'", " ", $_POST['number_of_series']);
   $series_airdate      = str_replace("'", " ", $_POST['series_airdate']);
   $number_of_movies   = str_replace("'", " ", $_POST['number_of_movies']);
   $banner_url      = str_replace("'", " ", $_POST['banner_url']);
   $premise         = str_replace("'", " ", $_POST['premise']);

   $actors_name_1      = str_replace("'", " ", $_POST['actors_name_1']);
   $actors_name_2      = str_replace("'", " ", $_POST['actors_name_2']);
   $actors_name_3      = str_replace("'", " ", $_POST['actors_name_3']);
   $actors_name_4      = str_replace("'", " ", $_POST['actors_name_4']);
   $actors_name_5      = str_replace("'", " ", $_POST['actors_name_5']);
   $actors_name_6      = str_replace("'", " ", $_POST['actors_name_6']);
   $actors_name_7      = str_replace("'", " ", $_POST['actors_name_7']);
   $actors_name_8      = str_replace("'", " ", $_POST['actors_name_8']);
   $actors_name_9      = str_replace("'", " ", $_POST['actors_name_9']);
   $actors_name_10      = str_replace("'", " ", $_POST['actors_name_10']);

   $character_name_1   = str_replace("'", " ", $_POST['character_name_1']);
   $character_name_2   = str_replace("'", " ", $_POST['character_name_2']);
   $character_name_3   = str_replace("'", " ", $_POST['character_name_3']);
   $character_name_4   = str_replace("'", " ", $_POST['character_name_4']);
   $character_name_5   = str_replace("'", " ", $_POST['character_name_5']);
   $character_name_6   = str_replace("'", " ", $_POST['character_name_6']);
   $character_name_7   = str_replace("'", " ", $_POST['character_name_7']);
   $character_name_8   = str_replace("'", " ", $_POST['character_name_8']);
   $character_name_9   = str_replace("'", " ", $_POST['character_name_9']);
   $character_name_10   = str_replace("'", " ", $_POST['character_name_10']);

// Create connection
   $conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
   if ($conn->connect_error) {
      die("Connection failed: " . $conn->connect_error);
   }

   $sql = "INSERT INTO EPGuide.Series (
         id, series_name,
         number_of_series, series_airdate,
         number_of_movies, banner_url,
         character_name_1, actors_name_1,
         character_name_2, actors_name_2,
         character_name_3, actors_name_3,
         character_name_4, actors_name_4,
         character_name_5, actors_name_5,
         character_name_6, actors_name_6,
         character_name_7, actors_name_7,
         character_name_8, actors_name_8,
         character_name_9, actors_name_9,
         character_name_10, actors_name_10,
         premise)
         VALUES (NULL, '$series_name',
         '$number_of_series', '$series_airdate',
         '$number_of_movies', '$banner_url',
         '$character_name_1', '$actors_name_1',
         '$character_name_2', '$actors_name_2',
         '$character_name_3', '$actors_name_3',
         '$character_name_4', '$actors_name_4',
         '$character_name_5', '$actors_name_5',
         '$character_name_6', '$actors_name_6',
         '$character_name_7', '$actors_name_7',
         '$character_name_8', '$actors_name_8',
         '$character_name_9', '$actors_name_9',
         '$character_name_10', '$actors_name_10',
         '$premise');";

if ($conn->query($sql) === TRUE) {
    echo "New record created successfully";
} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
}

$conn->close();

?>

Colin

"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

forumfan32

You should be using prepared statements, as you are extremely susceptible to SQL injection. Also, I don't understand the reason for so many str_replaces. What does "troubling apostrophes" mean? If it is necessary, why isn't it in a for loop? It would make the code more concise.

Arantor

The prepared statements would fix the "troubling apostrophes" problem automatically.

Also a loop isn't ideal here because it's all going into one row in the database, which is hard to build correct queries without the troubling apostrophes. But that would also veer toward having a stronger schema in the first place...

forumfan32

Quote from: Arantor on June 29, 2017, 04:18:33 PM
The prepared statements would fix the "troubling apostrophes" problem automatically.

Also a loop isn't ideal here because it's all going into one row in the database, which is hard to build correct queries without the troubling apostrophes. But that would also veer toward having a stronger schema in the first place...

Was really only talking about the the str_replace part where the variables are set, even though I didn't understand its purpose. Of course database queries should certainly not be in loops. The less database lookups the better.

Arantor

He has all the str_replaces because of (and for no reason other than) not using prepared statements to get around the 'issues' of using bare data in SQL.

forumfan32

Ah ok, that makes sense. I was confused because I haven't seen non-prepared statements in years. Hopefully OP knows how to use them correctly. Let me know if not, The Wizard.

Advertisement: