I wonder whether this idea is a good practice to update a row in a table in the database.
I usually update the row like this,
$pg_id = set_variable($_POST,'pg_id');
$pg_url = set_variable($_POST,'pg_url');
$pg_title = set_variable($_POST,'pg_title');
$pg_subtitle = set_variable($_POST,'pg_subtitle');
$pg_description = set_variable($_POST,'pg_description');
$pg_introduction = set_variable($_POST,'pg_introduction');
$pg_content_1 = set_variable($_POST,'pg_content_1');
$pg_content_2 = set_variable($_POST,'pg_content_2');
$pg_content_3 = set_variable($_POST,'pg_content_3');
$pg_content_4 = set_variable($_POST,'pg_content_4');
$pg_backdate = set_variable($_POST,'pg_backdate');
$pg_tag = set_variable($_POST,'pg_tag');
$pg_user = set_variable($_POST,'pg_user');
$pg_member = set_variable($_POST,'pg_member');
$pg_highlight = set_variable($_POST,'pg_highlight');
$pg_hide = set_variable($_POST,'pg_hide');
$pg_cat_id = set_variable($_POST,'pg_cat_id');
$ps_cat_id = set_variable($_POST,'ps_cat_id');
$parent_id = set_variable($_POST,'parent_id');
$tmp_id = set_variable($_POST,'tmp_id');
$usr_id = set_variable($_POST,'usr_id');
$sql = "
UPDATE root_pages
SET
pg_url = ?,
pg_title = ?,
pg_subtitle = ?,
pg_backdate = ?,
pg_description = ?,
pg_introduction = ?,
pg_content_1 = ?,
pg_content_2 = ?,
pg_content_3 = ?,
pg_content_4 = ?,
pg_highlight = ?,
pg_hide = ?,
ps_cat_id = ?,
parent_id = ?,
tmp_id = ?,
updated_by = ?
WHERE pg_id = ?
";
# use the instantiated db connection object from the init.php, to process the query
$result = $connection->run_query($sql,array(
$pg_url,
$pg_title,
$pg_subtitle,
$pg_backdate,
$pg_description,
$pg_introduction,
$pg_content_1,
$pg_content_2,
$pg_content_3,
$pg_content_4,
$pg_highlight,
$pg_hide,
$ps_cat_id,
$parent_id,
$tmp_id,
$usr_id,
$pg_id
));
I find this is taking a long time to type to list all the fields in the table when comes to maintenance, so I have this short-cut idea to get around it,
# queury the table columns.
$sql = "
SHOW COLUMNS
FROM root_pages
";
# use the stored connection object from the class_page_controller.php, to process the query.
$columns = $connection->fetch_all($sql);
# loop through the table columns, select the 'Field' column only, turn the field into variables, then get the variable's value from the array.
foreach($columns as $column)
{
$$column['Field'] = set_variable($_POST,$column['Field']);
}
foreach($columns as $column)
{
$sql = "
UPDATE root_pages
SET
".$column['Field']." = ?
WHERE pg_id = ?
";
# use the instantiated db connection object from the init.php, to process the query
$result = $connection->run_query($sql,array($$column['Field'],$pg_id));
}
It is shorter but I use loads of looping in this short-cut – is it bad?
Does this make the server slow in processing the update? What problems would I get in this method that I fail to see?
More queries means more time, so if you are updating each field individually (rather than a row at a time), it will take significantly longer.
Also, you may want to apply a filter to the submitted values to ensure that no field which you do not want updated can be.
For instance, if you had a table of users who had account balances listed against them:
If I could submit a form to your form handler, as the “credit” field would show up in the
SHOW COLUMNS...query, I could send you a POST submission, through a form intended to be used for me to change my name, with$_POST['user'] = "Mike Rowe"and$_POST['credit'] = 9999, and you would change the above to:UPDATE: Suggested solution
Rather than trust that the database field names are safe to use for handling a query like this, why not have your own array of editable fields and just loop through them?
NOTE: This code is untested and not the way I usually operate, so use it as a guide, not a bible…