<?php
// -- PULLING IN PRODUCTS TO READ OUT TO USER -- //
$stmt = ("
SELECT
products.ID,
products.title,
products.category,
products.location,
products.price,
products.negotiable,
products.description,
products.photo,
products.user_id
FROM
products");
$result = $db->query($stmt);
foreach ($result as $row) {
$product_id = $row['ID'];
$title = htmlspecialchars($row['title'], ENT_QUOTES); // User input, prevent first order XSS
$category = $row['category'];
// local variable for remainder, ensuring to use htmlspecialchars() for any user input that will be read out to browser
}
// -- INSERTING ONE PRODUCT TO MAIN PRODUCT PAGE USING PREPARED STATEMENT -- //
// Incoming user input from some form
// Assign input to local variables
// Probably should validate data
$null_value = null; // To bind null values... I'm lazy
$stmt = $db->prepare("
INSERT INTO
products
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('sssssssss',
$null_value,
$title,
$category,
$location,
$price,
$negotiable,
$description,
$photo,
$user_id);
$stmt->execute();
// -- INSERTING MULTIPLE PRODUCTS TO MAIN PRODUCT PAGE USING PREPARED STATEMENT -- //
// Incoming user input from some form
$null_value = null; // To bind null values... I'm lazy
// Assuming user input is from a form
// Verify it is a form submission
if($_SERVER['REQUEST_METHOD'] === 'POST') {
foreach ($_POST['product_array'] as $product) {
foreach ($product as $row) {
// Validate data types
// Assign to to local variables
$stmt = $db->prepare("
INSERT INTO
products
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bind_param('sssssssss',
$null_value,
$title,
$category,
$location,
$price,
$negotiable,
$description,
$photo,
$user_id);
$stmt->execute();
}
}
}