Posted by Rik on 10/18/06 15:22

Aaron Reimann wrote:
> Here is my code:
> if (is_array($_POST['commentsid'])) {
>
> foreach ($_POST['commentsid'] as $id) {
>
> $query = mysql_query("SELECT id_ministry FROM join_comments WHERE
> id_ministry = '$id'")
> or die("Bad query: ".mysql_error());

Euhm, security? I'd use an intval($id) or something to be sure it's not a
sql-injection.

> ## if it is not in the database, insert the id
> if (mysql_num_rows($query) == "0") {
> $insert =
> "INSERT INTO ".
> "join_comments (username, creation_stamp, id_people, id_ministry) ".
> "VALUES ('$_SESSION[valid_user]', '$datetime', '$_POST[id]',
> '$id')";

You do know you don't HAVE to concate?
$insert = "INSERT INTO
join_comments (username, creation_stamp, id_people, id_ministry)
VALUES
('$_SESSION[valid_user]', '$datetime', '$_POST[id]','$id')";

Will work just fine, and saves some useless overhead.

> I think I need to do my delete before everything. He is an "english"
> version of what I think needs to be done:
>
> do a query selected all that is in the database
> compare what was checked this time against was is checked now
> if something is no longer checked {
> delete from database the ones that are not in the database now
> }
> }
>
> I hope this makes sense.

1. Create an array of available id's from you database (mysql_query(),
mysql_fetch_array() loop).
2. Make sure it's the same format as your $_POST array.
3. array_walk(array_name,'intval') to make sure you have all integers.
4. $to_be_deleted = array_dif($available_array,$post_array).
5. foreach($to_be_deleted) loop delete.

If I see your code now, I'd say that you might benifit from some protection
from SQL-injections. Loop up the subject on google, expacially
mysql_real_escape_string() etc.

Never, ever, trust userdata, not even when they're logged in, trusted
users.
--
Grtz,

Rik Wasmus

[Back to original message]