Posted by Jerry Stuckle on 12/12/06 13:38

Curtis wrote:
> It would be better to just execute one query, rather than executing a
> query on each iteration. First, form the query from the submitted data,
> then execute:
>
> <?php
> // sanitize input
> foreach ( $_POST['delete'] as $key => $val )
> $_POST['delete'] = intval($val);
>
> // init query
> $qry = 'DELETE FROM `table` WHERE `id` = ';
> $id = implode(' OR `id` = ', $_POST['delete']); // extend string from
> submitted ids
> $qry .= $id; // concatenate
>
> $sql = mysql_query($qry); // run query
>
> // do what you need with the sql resource
> ?>
>
> On Dec 11, 12:13 am, "ameshkin" <amir.mesh...@gmail.com> wrote:
>
>>What I want to do is very simple, but I'm pretty new at PHP and its a
>>little hard for me.
>>
>>I have one page, where there are a rows of checkboxes. A button
>>selects all checkboxes, and then presses delete.
>>
>>When delete is pressed, I want to go to a next page and run a sql
>>command for every single box thats checked. The checkboxes store a
>>value, and multiple boxes can be checked.
>>
>>On the second page, whch is the form actin, I simply want to iterate
>>through and pull which values are checked and run a sql command for
>>each value.
>>
>>I have no idea how to do this. I assume you willl have to use a for
>>each statement, but am having trouble programming this.
>>
>>Someone please help!
>
>

Two problems -

First of all, even your corrected code can incorrectly delete the record
with id = 0. You need verify the intval actually matches the string.
Assuming the id is numeric, a better test would be

$vals = array();
foreach ( $_POST['delete'] as $key => $val )
if (strval(intval(val)) != val)
$vals[] = val;

Even though you might not have a key of 0 right now, things change. And
this is just the type of bug which will cause dozens of hours of
troubleshooting at a later time.

If id is not numeric, then this is not needed.

Also, much easier:

$qry = 'DELETE FROM table WHERE id IN (' .
implode(',', $_POST['DELETE']) . ')' ;

And if it's a non-numeric

$vals = array();
foreach ( $_POST['delete'] as $key => $val )
if (strval(intval(val)) != val)
$vals[] = "'" . mysql_real_escape_string(val_ . "'";


Of course, the op should also be doing other validation on the incoming
data as necessary.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]