update values from array

[soda]

Hi......

I have a form which includes 3 drop downs to add 3 results in 3 subjects.Once the save buttons clicked i want to update subject 1 from the 1st value in array.like wise other subject 2 from array value 2 .same as the other values.

i have mentioned my coding.

as print_r(); i get below output

UPDATE results SET results='A' where student_id=01' and subject_id='3'
UPDATE results SET results='B' where student_id=01' and subject_id='3'
UPDATE results SET results='C' where student_id='01' and subject_id='3'

but i want somthing like

UPDATE results SET results='A' where student_id=01' and subject_id='1'
UPDATE results SET results='B' where student_id=01' and subject_id='2'
UPDATE results SET results='C' where student_id='01' and subject_id='3'

PHP Code:

if(isset($_REQUEST['Save']))
{
  
 foreach($_REQUEST['result'] as $value)
 {

 for($i=1; $i<=3; $i++)
 {


$sql = " UPDATE results SET results='".$value."' where student_id='01' and subject_id='".$i."'";

 }

mysql_query($sql,$connection);


 
  }

} 


pls help. thanks

[SteelWheel]

Have a look at your "for"-instance ... you have to fire your query three times - not only once or you just get "the last result"! Insert your "mysql_query($sql,$connection);" into your for()-loop ...

Security/other things:
- always use $_POST (just read it in a "PHP security" book)
- think about SQL injection (your $value (!) is a high risk problem!)
- if student_id is unique, try "LIMIT 1" at the end of your query (speeds up, if found in db)
- use "`" around fields and tablenames (if using mySQL (!); speeds up!; in your case: UPDATE `results` SET `results`='A' WHERE `student_id`='01' AND `subject_id`='1'
- write defaults like UPDATE, SELECT, INSERT, AND, WHERE, SET always uppercase ... no performance tuning, but a better overview

Pls have a look at your update-query ... >>> student_id=01' <<< is possibly wrong because of "'" ...

More questions? More answers ...

[NogDog]

I might try something like the following to reduce the number of queries sent to MySQL:

PHP Code:

if (isset($_REQUEST['Save'])) {
   foreach($_REQUEST['result'] as $value) {
      $subjIds = implode(',', range(1,3));
      $sql = "UPDATE results SET results='" .
             mysql_real_escape_string($value) .  // don't forget to sanitize!
             "' WHERE student_id='01' and subject_id IN($subjIds)";
      mysql_query($sql, $connection);
   }
} 


[soda]

thanks guys for your replys.I have managed to write it somehow.Below is the coding i have written

PHP Code:

if(isset($_REQUEST['Save']))
{

for($i=0;$i<=2;$i++)
{
$j=$i+1;
$sql = "UPDATE results SET results='".$_REQUEST['result'][$i]."' where student_id='01' and subject_id='".$j."'";
$result=mysql_query($sql);

 }

} 


for more info
http://www.phpeasystep.com/mysql/10.html

thanks guys & i'll try your ones also.

[Mindzai]

You are still wide open to SQL injection attacks. You'd be wise to heed the advice from the previous posters.

[soda]

OOOps.Actually i don't have a clear idea about SQL injections , how it attacks & what harm it can do. Please let me know.

I highly appreciate you guys comments.
Thanks a lot

[Mindzai]

Have a read of the PHPSec Guide, particularly the SQL Injection section.

[NogDog]

The main thing is the use of an applicable escaping mechanism for any value used in a query which has any possibility of containing uncontrolled data or any characters which could be problematic in SQL; thus the use of mysql_real_escape_string() in my previous reply.