about mysql query in php

Question

I was wondering if its possible to use multiple insert query in a single php code. Like when I clicked the save button. My php code will perform multiple insertion on a same table? Is it possible?

Example: tb_people with field 'id','name'

I have 3 name inputs that I need to put a value if a click the save button it will save?

Example code:

<?php
  if(isset($_POST['save']))
  {
    $name1 = $_POST['name1'];
    $name2 = $_POST['name2'];
    $name3 = $_POST['name3'];
    mysql_query("INSERT into tb_people(name) VALUES ('$name1')");
    mysql_query("INSERT into tb_people(name) VALUES ('$name2')");
    mysql_query("INSERT into tb_people(name) VALUES ('$name2')");
  }
?>

Is this possible? I'm curios cause im planning to use this kind of idea.

... yes it's possible, `VALUES ('$name1'), ('$name2'), ('$name3')` — naththedeveloper, Jan 24 '14 at 16:03
Yes it is possible. As an added bonus, you can actually do all that with a single insert query. Read the MySQL documentation here for syntax on how to insert multiple sets of values at once - http://dev.mysql.com/doc/refman/5.6/en/insert.html — Mike Brant, Jan 24 '14 at 16:04
This code is very insecure. What would happen if my name was `'); DROP TABLE tb_people; -- `? — gen_Eric, Jan 24 '14 at 16:09

score 2 · Answer 1 · edited Feb 08 '17 at 14:07

Yes. But learn more about MySQL before using it.

$name1 = mysql_real_escape_string($_POST['name1']);
$name2 = mysql_real_escape_string($_POST['name2']);
$name3 = mysql_real_escape_string($_POST['name3']);
mysql_query("INSERT INTO `tb_people` (`name`) VALUES ('$name1'), ('$name2'), ('$name3');");

xkcd
> xkcd

You can even do this:

HTML:

<input type="text" name="name[]" />
Repeat the above as many times as you like - you can even add more with JavaScript!

PHP:

$toinsert = array_map(function($n) {
    return "('".mysql_real_escape_string($n)."')";
},$_POST['name']);
mysql_query("INSERT INTO `tb_people` (`name`) VALUES ".implode(", ",$toinsert));

MySQL is very powerful. Try doing that with a prepared query!

PS. If, like me, you think mysql_real_escape_string is a fuckton to type each time...

function dbesc($n) {return mysql_real_escape_string($n);}

I can do that with a prepared query: http://pastebin.com/3k7YYJur Not pretty, but it's possible. — gen_Eric, Jan 24 '14 at 16:14

score 0 · Answer 2 · answered Jan 24 '14 at 16:03

0

Yes, this is possible.

All this is doing is calling 3 mysql queries to the database.

Your code example should work perfectly fine for that as well.

answered Jan 24 '14 at 16:03

vxstorm

173
1
15

Dulitha K · Accepted Answer · 2014-10-30T04:45:47.773

-1

Your code should work. It is better to have some protection against SQL injection as below.

I have changed addslashes to mysql_real_escape_string. So now it should be alright.

$name1 = mysql_real_escape_string($_POST['name1']); $name2 = mysql_real_escape_string($_POST['name2']); $name3 = mysql_real_escape_string($_POST['name3']); mysql_query("INSERT INTO tb_people (name) VALUES ('$name1'), ('$name2'), ('$name3');");

edited Oct 30 '14 at 04:45

answered Jan 24 '14 at 16:16

Dulitha K

2,038
1
19
18

2

`addslashes` is *not* a safe way to prevent SQL injection at all. **Please** read the docs: http://php.net/addslashes – gen_Eric Jan 24 '14 at 16:21
Please also see: http://stackoverflow.com/q/860954 – gen_Eric Jan 24 '14 at 16:27
@RocketHazmat, The mysql_real_escape_string extension is deprecated as of PHP 5.5.0, and will be removed in the future as http://php.net/mysql_real_escape_string. Other options are mysqli_real_escape_string() and PDO::quote(). – Dulitha K Jan 24 '14 at 16:28
1

The best option here would be prepared statements. – gen_Eric Jan 24 '14 at 16:31
@RocketHazmat Great advice. I appreciate. Thanks. – Dulitha K Jan 24 '14 at 16:33

about mysql query in php

3 Answers3