Binding a PHP array for SQL insert

Question

Try binding an array (1starraybind) to prevent SQL injection. This is the code that works: if(isset($_POST['checkbox_selected'])){$valuesArr=array();foreach($_POST['checkbox_selected']as$key=>$value){//Retrieve array ID To find the row number of the CSV option column $findrow=array_search

P粉384679266 · Answer

You have two problems:

You are not using the correct bind syntax.

You are trying to insert multiple rows in a prepared statement

if (isset($_POST['checkbox_selected']))
{
    $sql = "INSERT INTO map (user_id, feed_id, attribute_id, csvcolumn) VALUES (?, ?, ?, ?);";
    // prepare only has to happen once
    $stmt = mysqli_prepare($conn,$sql);

    mysqli_begin_transaction($conn);
    try {
        foreach ($_POST['checkbox_selected'] as $key => $value) {
            $findrow = array_search_partial($attributeid, $value);
            $attribute = $value;            
            $csv = $csvcolumn[$findrow];
            
            $stmt->bindParam('iiii', $userid, $feed_id, $attribute, $csv);
            $stmt->execute();
        }
        mysqli_commit($conn);
    } catch(mysqli_sql_exception $e) {
        mysqli_rollback($conn); // immediately roll back changes
        throw $e; // re-throw exception
    }
}

The only slight benefit is that when you try to wrap multiple VALUES() in a query, it will be wrapped by an implicit transaction. But other aspects of this approach are disadvantageous. Explicitly opening the transaction that wraps the binding/execution loop, you can get the same benefits [error rollback, IO batching], while also taking advantage of the benefits of prepared statements [single simple query parsing, parameterization, etc.]