<?php // -- PULLING IN PRODUCTS TO READ OUT TO USER -- // $stmt = (" SELECT products.ID, products.title, products.category, products.location, products.price, products.negotiable, products.description, products.photo, products.user_id FROM products"); $result = $db->query($stmt); foreach ($result as $row) { $product_id = $row['ID']; $title = htmlspecialchars($row['title'], ENT_QUOTES); // User input, prevent first order XSS $category = $row['category']; // local variable for remainder, ensuring to use htmlspecialchars() for any user input that will be read out to browser } // -- INSERTING ONE PRODUCT TO MAIN PRODUCT PAGE USING PREPARED STATEMENT -- // // Incoming user input from some form // Assign input to local variables // Probably should validate data $null_value = null; // To bind null values... I'm lazy $stmt = $db->prepare(" INSERT INTO products VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)"); $stmt->bind_param('sssssssss', $null_value, $title, $category, $location, $price, $negotiable, $description, $photo, $user_id); $stmt->execute(); // -- INSERTING MULTIPLE PRODUCTS TO MAIN PRODUCT PAGE USING PREPARED STATEMENT -- // // Incoming user input from some form $null_value = null; // To bind null values... I'm lazy // Assuming user input is from a form // Verify it is a form submission if($_SERVER['REQUEST_METHOD'] === 'POST') { foreach ($_POST['product_array'] as $product) { foreach ($product as $row) { // Validate data types // Assign to to local variables $stmt = $db->prepare(" INSERT INTO products VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)"); $stmt->bind_param('sssssssss', $null_value, $title, $category, $location, $price, $negotiable, $description, $photo, $user_id); $stmt->execute(); } } }
You have javascript disabled. You will not be able to edit any code.