How to create multiple jquery form fields and insert in mysql database, without using mysql_real_escape_string

I need to create dynamic text fields with a button (which simply adds a new row of dynamic text fields). Then I need to INSERT the data in a in the database. I borrowed an example of what I need done from someone else's question, the problem is, it uses mysql_real_escape_string, which is now depreciated. I am new to this, so could you tell me what I would use instead of the mysql_real_escape_string?

$(function(){
    $('p#add_field').click(function(){
        counter += 1;
        $('#container').append(
        '<strong>Hobby No. ' + counter + '</strong><br />' 
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][name]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][surname]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][age]' + '" type="text" /><br />' +
        + '<input id="field_' + counter + '" name="dynfields['+counter+'][gender]' + '" type="text" /><br />');

    });
});
</script>
if (isset($_POST['submit_val'])) {
    if ($_POST['dynfields']) {
        foreach ( $_POST['dynfields'] as $key=>$fieldArray ) {

            $keys = array_keys($fieldArray);
            $values = array_map("mysql_real_escape_string",$fieldArray);

            $query = mysql_query("INSERT INTO my_hobbies (".implode(',',$keys).") VALUES ('".implode('\',\'',$values)."')", $connection );  
        }
    }

    echo "<i><h2><strong>" . count($_POST['dynfields']) . "</strong> Hobbies Added</h2></i>";

    mysql_close();
}

Answers


Your problem has nothing to do with jQuery and the form. It is just highly recommended to prevent SQL injection, an attack in which an attacker injects SQL commands into your DB Query by posting it in your form. That's why any data that comes from an untrusted source (eg html form) should be sanitized or at least escaped.

Here is a good explanation what SQL injection is and how it works.

As for your question: You can use mysqli_real_escape_string.

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close();
?>

mysql_real_escape_string isn't the only mysql_ function to be deprecated. They all are. including mysql_query.. I suggest googling for a PDO tutorial and spending 15 minutes teaching yourself. It really is pretty simple.

But to answer your question, after you create a PDO connection (you'll have to Google for how, I can't do everything for you) you'll change your loop to this..

$keys = array_keys($fieldArray);
foreach($fieldArray as $$k=>$v) $exe[":".$k] = $v;
$query = $pdo->prepare("INSERT INTO my_hobbies (".implode(',',$keys).") VALUES ('".implode('\',\'',array_keys($exe))."')", $connection ); 
$query->execute($exe);

Need Your Help

Viewing SQLite3 Database (XCODE)

iphone xcode sqlite

I am creating an iphone app within XCODE the makes use of an SQLite3 database. I am creating the database programmatically if it does not exist. I am not getting any errors when I run the program...

How to get the IP address when a session is created?

java grails servlets httpsession

In my grails application, I have implemented the interface HttpSessionListener to listen for session creation as given below: