-2

I have a form with multiple input fields with the same name. When I send this form I get an error. Parse error: syntax error, unexpected '=>' (T_DOUBLE_ARROW), expecting ')' in.

  <input type="text"name="keuze[]">
 <input type="text"name="prijs[]">
 <input type="text"name="cent[]">


  foreach (array_combine($_POST['keuze'], $_POST['prijs'], $_POST['cent']) as $keuze => $prijs => $cent) {

 $price = $prijs.".".$cent;

 $query = "INSERT INTO res_sub_menu (
 name,
 price,
 owner) VALUES 
 (
 '$keuze',
 '$price',
 '$session->u_id'
 )";

 }
Jenz
  • 8,172
  • 7
  • 41
  • 75
Yunus Sarikaya
  • 17
  • 1
  • 8

3 Answers3

1

Instead of

foreach (array_combine($_POST['keuze'], $_POST['prijs'], $_POST['cent']) as $keuze => $prijs => $cent) {

Use PHP's MultipleIterator

$mi = new MultipleIterator();
$mi->attachIterator(new ArrayIterator($_POST['keuze']));
$mi->attachIterator(new ArrayIterator($_POST['prijs']));
$mi->attachIterator(new ArrayIterator($_POST['cent']));
foreach($mi as list($keuze, $prijs, $cent)) {
    ...
}

If it complains about the use of list($keuze, $prijs, $cent) in the foreach() (which requires PHP >= 5.5.0), then you can use

$mi = new MultipleIterator(MultipleIterator::MIT_KEYS_ASSOC);
$mi->attachIterator(new ArrayIterator($_POST['keuze']), 'keuze');
$mi->attachIterator(new ArrayIterator($_POST['prijs']), 'prijs');
$mi->attachIterator(new ArrayIterator($_POST['cent']), 'cent');
foreach($mi as $details) {
    extract($details);
    ...
}
Mark Baker
  • 205,174
  • 31
  • 336
  • 380
  • who downvoted this, this is a nice feature to implement – Kevin Oct 29 '14 at 11:43
  • 1
    It was probably downvoted because I forgot the `MultipleIterator::MIT_KEYS_ASSOC` flag in the second example; though the downvoter couldn't be bothered to say.... I've edited it now to add that – Mark Baker Oct 29 '14 at 11:54
  • I'm the downvoter here. First, I find the approach a bit over the top. (But I wouldn't downvote for that alone.) Also, as on the post by @sgt, I am really astonished that you don't mention the gaping SQL injection hole. It may be tedious, but we need to point out that sort of thing every single time. And I will continue spending my precious rep to downvote post that don't even mention the such problems. – lxg Oct 29 '14 at 12:15
  • 1
    @lxg Perhaps if you used prepared statements and bind variables in your own answers to MySQLi questions (http://stackoverflow.com/questions/26606665/mysql-select-query-did-work-now-doesnt-2-minutes-later-without-changes/26606805#26606805), you'd be demonstrating a better approach yourself – Mark Baker Oct 29 '14 at 12:23
  • @MarkBaker: Really, you're tracking down posts of mine to make an argument. Oh, well. Considering the one you're referencing: My aim is not to tell people what the optimal solution would be. If I wanted that, I'd tell them to throw away their self-written cr*p and use a decent framework. But I do want to make sure that the code, as it is, cannot be exploited. As you may have seen, that's exactly what I did in that other answer. – lxg Oct 29 '14 at 12:37
  • 1
    And you're downvoting posts that don't mention database security, even though you've mentioned it in your comment to the original question and several times in comments on answers, and the original poster has responded to your comments - that makes both of us pretty sad..... I guess if you're willing to downvote any answer, right or wrong, to questions on the premise of databse security, no matter how peripheral it is to the question, it's rapidly approaching time for me to give up helping anybody ever again because you're here to single-handedly save the world from itself – Mark Baker Oct 29 '14 at 12:43
0

Try to do it on this way:

$cnt = count($_POST["keuze"]);
for ($i = 0; $i < $cnt; $i++) {
    $price = $_POST["prijs"][$i] . "." . $_POST["cent"][$i];
    $query = "INSERT INTO res_sub_menu (name,price,owner) 
                    VALUES  ('" . mysqli_real_escape_string($link, $_POST['keuze'][$i]) . ",'" . mysqli_real_escape_string($link, $_POST['price']) . "','$session->u_id')";

    mysqli_query($link, $query);
}

Avoid sql injections.

vaso123
  • 12,223
  • 4
  • 32
  • 63
  • At least somebody who cares about basic security measures. – lxg Oct 29 '14 at 11:39
  • 1
    @lxg - though if the example is using MySQLi for the query, then using a prepared statement with bind variables would have been a better example to use – Mark Baker Oct 29 '14 at 11:56
  • 1
    yes, but now, i am just focusing on a quick fix with basic security. this is procedural style. – vaso123 Oct 29 '14 at 12:02
0

array_combine() can operate on only to arrays at a time.it creates an array by using one array for keys and another for its values.

$array = array_combine($_POST['prijs'], $_POST['cent']);
$values = array();
foreach ($array as $prijs => $cent) {
    $values[] = $prijs.".".$cent;
}

//now process the final data

foreach (array_combine($_POST['keuze'], $values) as $keuze => $price) {
    //run your query
}
Sougata Bose
  • 30,871
  • 8
  • 44
  • 87
  • please mention the reason for -1 so that one can understand. – Sougata Bose Oct 29 '14 at 11:39
  • Not escaping POST data when inserting into an SQL query. – lxg Oct 29 '14 at 11:39
  • dude... the question is about how to do the trick not to apply security measures.if it was asking for security the answers will be given accordingly. @lgx try to solve the problem first. – Sougata Bose Oct 29 '14 at 11:41
  • I stand by the downvote. This type of question/answer is what's wrong with web development. People who don't *know* about SQL injection etc. are bad enough, but people who *knowingly ignore* such issues are a huge problem. It really wouldn't take much effort to fix this gaping issue. – lxg Oct 29 '14 at 11:43
  • know that..it wouldnt take much effort...but when it is mentioned so the user can handle this on his own. – Sougata Bose Oct 29 '14 at 11:45