I'd do the following:
<?php
$array = array('name1', 'name2', 'name3');
$first=true;
$comma='';
$comma_separated='';
foreach($array as $value)
{
if($first)
{
$first=false;
$comma=',';
}
$comma_separated .= $comma.mysql_real_escape_string($value);
}
$result =mysql_query("INSERT INTO uploadfile (UF_ID,UF_NAME,GENRE,CAT_ID,SUB_CAT_ID,TAG,DESCRIPTION) VALUES('".mysql_insert_id()."','{$comma_separated}','".mysql_real_escape_string($GENRE)."','1','1','".mysql_real_escape_string($tag)."','".mysql_real_escape_string($optionaldescription)."');");
if(!$result)
{
die( mysql_error() );
}
?>
Take note of the use of mysql_real_escape_string()
; this function escapes the input for SQL and protects you SQL injection. Also, if you had escaped the values earlier*
I'd advice you to use interpolation in your SQL query string. Like this:
"'1', '1', '{$tag}'"
Not:
"'1', '1', '$tag'"
Notice that I've changed how mysql_insert_id()
is used too. For the same reason.
*
- Like I've done with $comma_separated