INSERT array multidimensional into database

Question

i'm newbie in PHP, and sorry for my English. I had read all the questions about this topic in this forum, but i still cant find the solution for my PHP. I have 2 session here, first to save data person, and second to save cart. Here my session structure

<?php
$id_pers person = $_SESSION['person'] ; //its contain just id


//for second $_SESSION['cart'] structure when i print_r is like this
Array (
[0] => Array (
   [item_id] => 4
   [item_name] => Notebook
   [item_qty] => 1
   [price] => 750
 )
[1] => Array (
   [item_id] => 5
   [item_name] => Keyboard
   [item_qty] => 1
   [price] => 70
 )
[2] => Array (
   [item_id] => 6
   [item_name] => Mouse
   [item_qty] => 1
   [price] => 50
 )
)
?>

The problem is when i save array into database its just one array is saved, the other array cant save into database. Here my insert function what i wrote from watching video tutorial:

<?php
function save($array, $connect){
  if(is_array($array)){
     $id_person = $_SESSION['person'];
     foreach($array as $row => $value) {
         $item_id = mysqli_real_escape_string($connect, $value['item_id'];
         $item_qty = mysqli_real_escape_string($connect, $value['item_qty'];
         $sql = "INSERT INTO tbl_order(id_person,item_id,qty) VALUES ('".$id_person."','".$item_id."','".$item_qty."')";
         mysqli_query ($connect, $sql);
     }
   }
 }
save($_SESSION['cart'], $ connect);
?>

Please tell me where is my mistake on my script for inserting data array into table. Thanks :)

Answer 1

Syntax error

  $item_id = mysqli_real_escape_string($connect, $value['item_id'];
  $item_qty = mysqli_real_escape_string($connect, $value['item_qty];

Missing the ' and a ) 2x

 $item_id = mysqli_real_escape_string($connect, $value['item_id']);
 $item_qty = mysqli_real_escape_string($connect, $value['item_qty']);

And change this (this is ok, just not the best way to do it):

function save($array, $connect){
    if(is_array($array)){

to

 function save(array $array, $connect){

Now if you pass in something other then an array PHP with issue an error. It's called type hinting and it lets us get rid of that check as we are guaranteed that only arrays can be passed as that argument. With manual checking your code would just fail silently and you wouldn't know why.

I would probably toss a if(!session_id()) session_start(); in there to be safe. If there is no session ID, then create a session. You cannot store data to the session unless it's started.

So like this:

<?php
function save(array $array, $connect){

     if(!session_id()) session_start();

     //don't trust this who knows where it came from, QQ'n not me.
     $id_person = mysqli_real_escape_string($connect, $_SESSION['person']);
     foreach($array as $row => $value) {
         $item_id = mysqli_real_escape_string($connect, $value['item_id']);
         $item_qty = mysqli_real_escape_string($connect, $value['item_qty']);
         $sql = "INSERT INTO tbl_order(id_person,item_id,qty) VALUES ('".$id_person."','".$item_id."','".$item_qty."')";
         mysqli_query ($connect, $sql);
     }
 }

save($_SESSION['cart'], $ connect);
?>

-NOTE- It's also preferred to prepare queries instead of escaping them.

Cheers.

Answer 2

Assuming those numbers are integers and not strings your code should look more like:

<?php
session_start(); // before headers are sent
function saveCart($connect){
  if(!(isset($_SESSION['person'], $_SESSION['cart']) && is_int($_SESSION['person']) && is_array($_SESSION['cart']))){ // remember $_SESSION is a super global
    return false;
  }
  $id = $_SESSION['person']; $cartArray = $_SESSION['cart'];
  foreach($cartArray as $a){
     $stmt = $connect->prepare('INSERT INTO tbl_order (id_person, item_id, qty) VALUES (?, ?, ?)');
     $stmt->bind_param('iii', $id, $a['item_id'], $a['item_qty']); $stmt->execute();
  }
  return true;
}
if(saveCart($connect) === true){
  echo 'Cart Saved';
}
else{
  echo 'Cart was not Saved';
}
?>

Prepared statements are the way to go.