Handling a large number of $

S

Severovostok2012-07-12 12:08:59

PHP

Severovostok, 2012-07-12 12:08:59

Handling a large number of $_POST

Hello. There is a DB with a large number of columns (namely 36). I need to INSERT there the data that comes with the $_POST request. Among the data that came with the $_POST request, there are mandatory (without which I won’t be able to write them to the database, because there is a need for them) and optional (that is, additional information and if I don’t add them to the database, it’s okay).

The question is actually in the following, how to implement the most efficient check of everything that came to me $_POST. Now I am doing the following: I

created 2 arrays (one with the obligatory names of the DB columns $base_key and the other with all $all_keys)

foreach - I run all the incoming $_POST and check the key for presence in the above arrays, and the value is not empty and everything that passes validation I add to $into_sql

foreach($_POST as $key=>$value){
    if(!empty($value) && in_array(strtoupper($key), $all_keys)) {
        if(array_key_exists(strtoupper($key), $base_keys)) {$base_counter++; //считает количество обязательных колонок}
            $into_sql .= "`".$key."`='".$this->db->safeSQL($value)."', ";
        }
    }

if($base_counter >= sizeOf($base_keys)){

    $this->db->query("INSERT INTO `some_table` ".$into_sql." SERVER_DATE=NOW()");       
 }

In principle, everything works as I need, the only thing I would like to know from professionals is how effective this code is in terms of security, speed and reliability, and is there a better option (or options)

Reply

Answer the question

In order to leave comments, you need to log in

7 answer(s)

E

egorinsk, 2012-07-12
@Severovostok

I would remove strtoupper. He's not needed. If a programmer on the client side has confused capital letters with small ones, let him correct the error himself, and not the script does it for him.
Collecting a query to the database by hand is clumsy. I would dump everything into an array, and pass it through placeholders like execute("INSERT INTO ?table (?#) VALUES (?a)", $table, array_keys($data), array_values($data))
otherwise normal code, performing its functions. Although, of course, someone will offer to make models, repositories, unit-of-work for these purposes, and what else Martin Fowler came up with for these purposes.
If you're wondering how to make this more difficult, read the manuals for any framework like Yii or Zend or Symfony or Ruby on Rails or Django. There you will be told about models, validators, storages, backends, abstraction layers and other tricks.
And yes, all these ORMs and frameworks for PHP are heavy, ugly, and the language itself, due to the fact that you need to initialize the application again with each request, does not allow them to be made normal, so from a performance point of view it is better to write everything by hand.
But I would not write such code, since I need the properties of the model and form fields for modifying it to be stored in one place, and not scattered around the HTML code, javascripts and PHP handlers. You will forget later where to change something, when you want to change the label of the input field, for example. Also, your code does not know how to do validation of the transmitted data (pass whatever you want - it will write everything to the database), or mapping / serialization / jasonization, but I need all this to be.

D

dxArtem, 2012-07-12
@dxArtem

There is a very cool feature.
www.php.net/manual/en/function.filter-input-array.php

/* data actually came from POST
$_POST = array(
    'product_id'    => 'libgd<script>',
    'component'     => '10',
    'versions'      => '2.0.33',
    'testscalar'    => array('2', '23', '10', '12'),
    'testarray'     => '2',
);
*/

$args = array(
    'product_id'   => FILTER_SANITIZE_ENCODED,
    'component'    => array('filter'    => FILTER_VALIDATE_INT,
                            'flags'     => FILTER_REQUIRE_ARRAY, 
                            'options'   => array('min_range' => 1, 'max_range' => 10)
                           ),
    'versions'     => FILTER_SANITIZE_ENCODED,
    'doesnotexist' => FILTER_VALIDATE_INT,
    'testscalar'   => array(
                            'filter' => FILTER_VALIDATE_INT,
                            'flags'  => FILTER_REQUIRE_SCALAR,
                           ),
    'testarray'    => array(
                            'filter' => FILTER_VALIDATE_INT,
                            'flags'  => FILTER_REQUIRE_ARRAY,
                           )

);

$myinputs = filter_input_array(INPUT_POST, $args);

M

Mikhail Osher, 2012-07-12
@miraage

www.php.net/manual/en/class.filteriterator.php
www.php.net/manual/en/class.callbackfilteriterator.php

C

CrazySquirrel, 2012-07-12
@CrazySquirrel

For such things, data schemas are used.
If the ORM allows, the schema can be retrieved from the DB and cached. Will avoid changes in two places when changing the structure of the DB.

E

EugeneOZ, 2012-07-12
@EugeneOZ

“without which I won’t be able to write them to the database, because the value is not null” - you can write, not null does not oblige you to fill in. Will just be 0 in a numeric, or an empty string in a string field.