Reputation: 326
Inserting values into multiple MySQL tables at once
I've created mini content management system. Now got afew questions
I'm filtering posts with following function
function filter($data, $db)
{
$data = trim(htmlentities(strip_tags($data)));
if (get_magic_quotes_gpc())
$data = stripslashes($data);
$data = $db->escape_string($data);
return $data;
}
And the PHP code looks like that
$name=filter($_POST['name'], $db);
$title=filter($_POST['title'], $db);
$parent=filter($_POST['parent'],$db);
$switch=filter($_POST['switch'], $db);
if($switch=''){
echo "Return back and select an option";
die();
}
$parentcheck=filter($_POST['parentcheck'],$db);
if($parentcheck=='0')
{
$parent=$parentcheck;
}
$purifier = new HTMLPurifier();
$content = $db->real_escape_string( $purifier->purify( $_POST['content']) );
if(isset($_POST['submit'])&&$_POST['submit']=='Ok'){
$result=$db->query("INSERT INTO menu (parent, name, showinmenu) VALUES ('$parent', '$name', '$switch'") or die($db->error);
$result2=$db->query("INSERT INTO pages (id, title, content) VALUES ('<what?>', '$title', '$content'") or die($db->error);
}
And that's how my tables look like
Table named "pages"
And "menu"
My questions are followings:
I'm trying to get autoincremented
idvalue frommenutable after('$parent', '$name', '$switch'")insertion and set thisidinpagestable while inserting ($title, $content). How to do it? Is it possible with single query?$content's value is the text with HTML tags. I'm using html purifier. May I filter it's value too before inserting into db table? Any suggestion/advice?
Upvotes: 0
Views: 1147
Answers (2)
Reputation: 360702
Looks like you're using mysqli as the DB library, so you can use $db->insert_id() to retrieve the LAST id created by an insert operation by that particular DB handle. So your queries would become:
$result=$db->query("INSERT INTO menu (parent, name, showinmenu) VALUES ('$parent', '$name', '$switch'") or die($db->error);
$new_id = $db->insert_id();
$result2=$db->query("INSERT INTO pages (id, title, content) VALUES ($new_id, '$title', '$content'") or die($db->error);
^^^^^^^
You can't really do it in a single query, as mysql does not make the ID value available for the insert_id function until AFTER the query completes. So you do have to do this in a 3 step process: insert, get id, insert again.
The rule for DB filtering (better known as escaping) is to escape ANYTHING that's user-provided. This even includes data you've retrieve in other db queries and are re-inserting. Escaping isn't really there as a security measure - it's there to make sure that whatever you're putting into the query string doesn't BREAK the query. Preventing SQL injection attacks is just a side effect of this.
Upvotes: 1
Reputation: 806
Should be
$result2=$db->query("INSERT INTO pages (id, title, content) VALUES (LAST_INSERT_ID(), '$title', '$content'") or die($db->error);
Filtering using real_escape_string( ) should be safe. Is there something else that you want to filter?
Upvotes: 1
Related Questions
- MYSQL, PHP Insert into Multiple Tables in Database
- mysql insert into multiple table at once
- mySQL INSERT to multiple tables using PHP statments
- Php mysql - insert into multiple tables in one query
- PHP/ MYSQL Inserting Data Into Multiple Tables
- Insert into multiple tables at once
- Inserting Data into multiple tables
- Run MySQL INSERT Query multiple times (insert values into multiple tables)
- insert entries in multiple tables in php
- PHP MySQL inserting data to multiple tables