2
\$\begingroup\$

There's a part in my page where you can add, edit or delete school details, and it wasn't supposed to save entries to the database until the user hits Enter, so I save all data in an object first.

My object looks like this:

schooldetails : {
 "1": {
 "school_ctr":"schoolctr_1",
 "school":"Fiat Lux Academe",
 "course":"",
 "qualification":"High School",
 "date_grad":"06/04/2008",
 "notes":"*graduated with honors",
 "deleted":0
 },
 "2": {
 "school_ctr":"schoolctr_2",
 "school":"College of St. Benilde",
 "course":"Computer Science",
 "qualification":"Bachelor / College",
 "date_grad":"06/05/2012",
 "notes":"",
 "deleted":0
 },
 "3":{
 "school_ctr":"schoolctr_3",
 "school":"Siliman University",
 "course":"Information Technology",
 "qualification":"Post Graduate / Master",
 "date_grad":"06/06/2014",
 "notes":"",
 "deleted":0
 }
}

I passed it through AJAX and I was able to save info through this code:

if(!empty($school_details_new)){
 foreach($school_details_new as $key => $value) {
 foreach($value as $school_data => $data_values) {
 if($school_data == "school")
 $s_name = mysql_real_escape_string($data_values);
 if($school_data == "course")
 $s_degree = mysql_real_escape_string($data_values);
 if($school_data == "qualification")
 $s_type = mysql_real_escape_string($data_values);
 if($school_data == "date_grad")
 $s_enddate = mysql_real_escape_string($data_values);
 if($school_data == "notes")
 $s_notes = mysql_real_escape_string($data_values); 
 }
 $sql = "INSERT INTO `SchoolDetails` (`personID`, `School`, `Type`, `End_Date`, `Degree`, `Notes`) VALUES ($id, '$s_name', '$s_type', '$s_enddate', '$s_degree', '$s_notes');";
 $res_sql = mysql_query ($sql);
 }
}

This is actually working fine with me. I don't have any errors or anything but I do believe there is a more efficient way to do this without having a lot of if statements. Thoughts?

Jamal
35.2k13 gold badges134 silver badges238 bronze badges
asked Jun 30, 2014 at 6:51
\$\endgroup\$

1 Answer 1

7
\$\begingroup\$

Indeed there is! Use prepared statements instead of manually escaping and inserting into your query!

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

//mysqli connection somewhere around here...
if (!empty($school_details_new)) {
 $stmt = mysqli_prepare($conn, "INSERT INTO `SchoolDetails` (`personID`, `School`, `Type`, `End_Date`, `Degree`, `Notes`) VALUES (?, ?, ?, ?, ?, ?)";
 foreach ($school_details as $school) {
 mysqli_stmt_bind_param($stmt, "isssss", $id, $school["school"], $school["qualification"], $school["date_grad"], $school["course"], $school["notes"]);
 mysqli_stmt_execute($stmt);
 }
}
answered Jun 30, 2014 at 7:04
\$\endgroup\$
0

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.