Michal Michal - 1 year ago 48
MySQL Question

How to build a dynamic MySQL INSERT statement with PHP


This part of a form is showing columns names from mysql table (names of applications installed on a computer) and creating a form with YES/NO option or input type="text" box for additional privileges to a application..

How can I insert it back to a mysql table using POST and mysql_query INSERT INTO?????

Quantity of columns is changing because there is another form for adding applications with/without privileges..

<tr bgcolor=#ddddff>';

//mysql_query for getting columns names
$result = mysql_query("SHOW COLUMNS FROM employees") or die(mysql_error());
while ($row = mysql_fetch_array($result))
//exclude these columns bcs these are in other part of form
if($row[0] == 'id' || $row[0] == 'nameandsurname' || $row[0] == 'department'
|| $row[0] == 'phone' || $row[0] == 'computer' || $row[0] == 'data')
echo '<td bgcolor=#ddddff>'.$row[0].'<br />';

if (stripos($row[0], "privileges") !== false) {
echo '<td bgcolor=#ddddff><p><a class=hint href=#>
<input type="text" name="'.$row[0].'">
<span>Privileges like "occupation" or "like someone"</span></a></p></td></tr>';
echo '<td bgcolor=#ddddff align=center><select name="'.$row[0].'">
<option value = "No">No
<option value = "Yes">Yes

trim($_POST); // ????

$query = "INSERT INTO 'employees' VALUES (??)"; // ????

Answer Source

Because you're not inserting ALL columns, you need to dynamically build an insert statement that will specify the columns you're inserting into.

First, create an array of the columns you want to use. Use this both to generate your form and to retrieve the values

$exclude = array("id", "nameandsurname", "departument", "phone", "computer", "date");
$result = mysql_query("SHOW COLUMNS FROM employees") or   die(mysql_error());
$columns = array();
while ($row = mysql_fetch_array($result)) {
    if (!in_array($row[0], $exclude) {
        $columns[] = $row[0];

Render your form from the $columns array:

foreach ($columns as $column) {
    echo '<tr><td bgcolor="#ddddff">'.$column.'<br />';
    if (stripos($column, "privileges") !== false) {
        echo '<p><a class="hint" href="#">
                <input type="text" name="'.$column.'">
                <span>Privileges like "occupation" or "like  someone"</span></a>';
    } else {
        echo '<select name="'.$column.'">
                <option value = "No">No
                <option value = "Yes">Yes
    echo '</td></tr>';

Then, dynamically build your INSERT string from the posted values for those columns. Be sure to protect against SQL injection:

$keys = array();
$values = array();
foreach ($columns as $column) {
    $value = trim($_POST[$column]);
    $value = mysql_real_escape_string($value);
    $keys[] = "`{$column}`";
    $values[] = "'{$value}'";
$query = "INSERT INTO 'employees' (" . implode(",", $keys) . ") 
          VALUES (" . implode(",", $values. ");";

Note: this will work better if you select from INFORMATION_SCHEMA.COLUMNS so that you can know the type of column you're inserting into. That way, you won't have to quote everything.