I need to create dynamic text fields with a button (which simply adds a new row of dynamic text fields). Then I need to INSERT the data in a in the database. I borrowed an example of what I need done from someone else's question, the problem is, it uses mysql_real_escape_string, which is now depreciated. I am new to this, so could you tell me what I would use instead of the mysql_real_escape_string?
$(function(){
$('p#add_field').click(function(){
counter += 1;
$('#container').append(
'<strong>Hobby No. ' + counter + '</strong><br />'
+ '<input id="field_' + counter + '" name="dynfields['+counter+'][name]' + '" type="text" /><br />' +
+ '<input id="field_' + counter + '" name="dynfields['+counter+'][surname]' + '" type="text" /><br />' +
+ '<input id="field_' + counter + '" name="dynfields['+counter+'][age]' + '" type="text" /><br />' +
+ '<input id="field_' + counter + '" name="dynfields['+counter+'][gender]' + '" type="text" /><br />');
});
});
</script>if (isset($_POST['submit_val'])) {
if ($_POST['dynfields']) {
foreach ( $_POST['dynfields'] as $key=>$fieldArray ) {
$keys = array_keys($fieldArray);
$values = array_map("mysql_real_escape_string",$fieldArray);
$query = mysql_query("INSERT INTO my_hobbies (".implode(',',$keys).") VALUES ('".implode('\',\'',$values)."')", $connection );
}
}
echo "<i><h2><strong>" . count($_POST['dynfields']) . "</strong> Hobbies Added</h2></i>";
mysql_close();
}</div>
Your problem has nothing to do with jQuery and the form. It is just highly recommended to prevent SQL injection, an attack in which an attacker injects SQL commands into your DB Query by posting it in your form. That's why any data that comes from an untrusted source (eg html form) should be sanitized or at least escaped.
Here is a good explanation what SQL injection is and how it works.
As for your question: You can use mysqli_real_escape_string.
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s
", mysqli_connect_error());
exit();
}
$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s
", $mysqli->sqlstate);
}
$city = $mysqli->real_escape_string($city);
/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.
", $mysqli->affected_rows);
}
$mysqli->close();
?>
mysql_real_escape_string isn't the only mysql_ function to be deprecated. They all are. including mysql_query.. I suggest googling for a PDO tutorial and spending 15 minutes teaching yourself. It really is pretty simple.
But to answer your question, after you create a PDO connection (you'll have to Google for how, I can't do everything for you) you'll change your loop to this..
$keys = array_keys($fieldArray);
foreach($fieldArray as $$k=>$v) $exe[":".$k] = $v;
$query = $pdo->prepare("INSERT INTO my_hobbies (".implode(',',$keys).") VALUES ('".implode('\',\'',array_keys($exe))."')", $connection );
$query->execute($exe);