Home/ Questions/Q 8602313
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T02:03:20+00:00

if(isset($_POST[‘id’])) { $id=$_POST[‘id’]; echo $id; $busnumber=$_POST[‘busnumber’]; $status=$_POST[‘status’]; $startpoint=$_POST[‘startpoint’]; $stop1=$_POST[‘stop1’]; $stop2=$_POST[‘stop2’]; } I want to

  • 0
if(isset($_POST['id'])) {
    $id=$_POST['id'];
    echo $id;

    $busnumber=$_POST['busnumber'];
    $status=$_POST['status'];
    $startpoint=$_POST['startpoint'];
    $stop1=$_POST['stop1'];
    $stop2=$_POST['stop2'];
}

I want to create dynamic $stop2=$_POST['stop2']; and mysql query:

$sql = mysql_query("
   UPDATE fromto 
   SET busNumber='$busnumber', status='$status', startPoint='$startpoint', 
     stop1='$stop1', stop2='$stop2', stop3='$stop3', stop4='$stop4', 
     stop5='$stop5', stop6='$stop6', stop7='$stop7'............... 
   WHERE id=$id
");
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to evaluate all variables to check which are valid SQL fields. In the most general case you might have POST names and SQL names not alike.

    At that point you do not even need to set the variables.

    I added an escape check because, were someone to send you, say,

    '; --

    as the value of busNumber, your query would become:

    UPDATE table SET busNumber=''; --', status=...

    and since “–” starts a comment, MySQL would see:

    UPDATE table SET busNumber=''; -- *all the rest ignored*

    which would then bork the busNumber column in the whole table. You so don’t want this to happen. PDO is a good alternative to mysql_* functions that would help prevent such problems.

    Anyway, you use mysql_*, so:

    $id = (int)$_POST['id'];

$fields = array( // ALL FIELDS EXCEPT ID
   'status' => 'status',
   ...
);

$update = array();
// Since we're not using PDO we have to do a small check ourselves
foreach($fields as $sql => $post)
{
    if (!isset($_POST[$post]))
        $value = 'NULL';
    else
    {
        // If you want to set the variable:
        // ${$post} = $value;
        // or
        // ${$sql} = $value;

        $value = mysql_real_escape($_POST[$post]);
        if (!is_numeric($value))
            $value = "'$value'";
    }
    $update[] = "$sql = $value";
}

$query = "UPDATE table SET " . implode(',', $update) . " WHERE id=$id";

mysql_query($query);

    Moreover, it would be probably useful (performance-wise and maintenance-wise) to normalize the schema by removing the stop* columns and putting them in another table:

    CREATE TABLE busStops {
    id_bus    integer,
    active    boolean,
    seq_no    integer,
    name      varchar(200)
};

    or even

    CREATE TABLE busStops {
    id        integer not null primary key auto_increment,
    name      varchar(200)
    // other geographical information
};

CREATE TABLE bus_has_stop {
    id_bus    integer,
    id_stop   integer,
    sequenc   integer,
}

    so that if you e.g. renamed a stop from “Street 1 and Street 2” to “Streets 1-2”, the rename would affect automatically all buses with a stop there, and so on.

    • 0