phpmysqlcheckboxinsert-statement

Checkboxes Inserting Into MySql Database


I have a survey type form, and in a number of the questions, the user has the option to tick more than one box.

I am storing these answers in a mysql database however at the moment, the database only stores the very last checkbox that is ticked. Is there anyway to store all the checked values, possible separated by a coma, or semi-colon?

Here is my code:

        $q1 = mysql_escape_string($_POST['q1']);
        $q2 = mysql_escape_string($_POST['q2']);
        $q3 = mysql_escape_string($_POST['q3']);            
        $q4 = mysql_escape_string($_POST['q4']);
        $q5 = mysql_escape_string($_POST['q5']);            
        $q6 = mysql_escape_string($_POST['q6']);
        $q7 = mysql_escape_string($_POST['q7']);
        $q8 = mysql_escape_string($_POST['q8']);
        $q9 = mysql_escape_string($_POST['q9']);
        $q10 = mysql_escape_string($_POST['q10']);
        $q11 = mysql_escape_string($_POST['q11']);
        $q12 = mysql_escape_string($_POST['q12']);
        $q13 = mysql_escape_string($_POST['q13']);
        $q14 = mysql_escape_string($_POST['q14']);
        $email = mysql_escape_string($_POST['email']);

        require_once('connection.php');

        $sql="INSERT INTO survey (Question1, Question2, Question3, Question4, Question5, Question6, Question7, Question8, Question9, Question10, Question11, Question12, Question13, Question14, eMail) VALUES ('$q1', '$q2', '$q3', '$q4', '$q5', '$q6', '$q7', '$q8', '$q9', '$q10', '$q11', '$q12', '$q13', '$q14', '$email')";

        if (!mysql_query($sql,$conn))
          {
      die('Error: ' . mysql_error());
          }

          mysql_close($conn);

Solution

  • First, mysql_escape_string is depreciated - you should use mysql_real_escape_string.

    Secondly, this would allow anyone malicious to insert different values into the results, such as 2's and 3's. You need to make every value conform to 0 or 1. To do that, I'd recommend you cast to a bool then an int:

    $q1 = (int)((bool)$_POST['q1']);
    $q2 = (int)((bool)$_POST['q2']);
    ...
    

    For your HTML, each checkbox needs a value attribute of '1'.

    Since these are integer only, there is no need to escape them.