3

i have a question regarding the implode() in php, i have this array()

$user_data = array(
    'user_id_num' => $_POST['userid'],
    'fullname' => $_POST['userfname'],
    'username' => $_POST['useruname'],
    'password' => $password_hash
);

what i want to achieve is like this for example,

for the fields

`user_id_num`,`fullname`,`username`,`password`

and for the values

'2159','Sample Name','example','mypassword' <- hash password

what i have tried so far is this

$user_fields = '`' . implode('`, `', $user_data) . '`';
$user_data   = '\'' . implode('\', \', $user_data) . '\'';

but i can't get what i want to achieve can someone help me with this? thanks in advance

ToBe
  • 2,667
  • 1
  • 18
  • 30
Pengun
  • 734
  • 1
  • 7
  • 18
  • 1
    You can use plain old `implode($user_data)` for your values and a `implode(array_keys($user_data))` for your keys. – ToBe Jan 30 '14 at 15:16
  • what do you mean by that? do i still be able to achieve what i want if i will use just `implode($user_data)` ? – Pengun Jan 30 '14 at 15:18
  • I don't know if you're trying to do SQL with that but please DON'T! Use some orm if that's what you were doing. – marctrem Jan 30 '14 at 15:21
  • @Pengun try it out. var_dump the results of both variants and you will see what and how they do. Or just copy&paste one of the other solutions. I would HIGHLY suggest playing with var_dump and understanding what you do there though. – ToBe Jan 30 '14 at 15:23
  • @ToBe thanks i will take note of that. – Pengun Jan 30 '14 at 15:25

2 Answers2

5

Try

$user_fields = '`' . implode('`, `', array_keys($user_data)) . '`';
$user_data   = "'" . implode("', '", array_values($user_data)) . "'";
Nouphal.M
  • 6,304
  • 1
  • 17
  • 28
0

I would not quote-implode strings like this; while it may work, it's hard to read and prone to errors. The correct thing would be to quote each individual entry properly and implode the result merely with commas:

$fields = join(',', array_map(function ($field) { return "`$field`"; }, array_keys($user_data)));
$data   = join(',', array_map(function ($value) { return mysql_real_escape_string($value); }, $user_data));

The field names are controlled by you, as such quoting them with a backslash is sufficient. For the user supplied data you need to run it through a proper SQL escaping function or better yet use prepared statements. The above demonstrates the legacy method of using the mysql_ extension, something you really shouldn't be doing anymore these days.

The code should more look like this:

$fields = join(',', array_map(function ($field) { return "`$field`"; }, array_keys($user_data)));
$placeholders = join(',', array_map(function ($field) { return ":$field"; }, array_keys($user_data)));

$stmt = $pdo->prepare("INSERT INTO foo ($fields) VALUES ($placeholders)");
$stmt->execute($user_data);
deceze
  • 510,633
  • 85
  • 743
  • 889
  • thanks but i find your code more complicated for me and i want to learn how to properly use this `implode()` method – Pengun Jan 30 '14 at 15:28