public function add($table, $data, $exclude = array()){
$fields = $values = array();
if( !is_array($exclude) ) $exclude = array($exclude);
foreach( array_keys($data) as $key ) {
if( !in_array($key, $exclude) ) {
$fields[] = "'$key'";
$values[] = "'" . $this->db->real_escape_string($data[$key]) . "'";
}
}
$fields = implode(",", $fields);
$values = implode(",", $values);
$query = "INSERT INTO $table($fields) VALUES ($values)";
if(!$result = $this->db->query($query)) {
echo "Prepare failed: (" . $this->db->errno . ") " . $this->db->error;
}
}
Error
Prepare failed: (1064) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''name','address','country','type','status') VALUES ('Starbucks','Washington ','U' at line 1
$food->add("food", $_POST, "add");
Tested printing fields and values and they were correct. So called the function add and then got the error on syntax, but couldn't figure where query went wrong.
Key should be wrapped in ` instead of '
$fields[] = "`$key`";
Related
I have error in this when I upload the data from .csv file from other php file, and my error is :-
"You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near "
function array_to_sql($queryData , $table , $multiple = true){
// Create connection
$conn = new mysqli("localhost","root", "", "mydata");
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
//If multiple data
else
{
foreach($queryData as $queryEntry)
{
if (count($queryEntry) > 0) {
foreach ($queryEntry as $key => $value) {
$value = "'$value'";
$updates[] = "$key = $value";
}
}
$implodeArray = implode(', ', $updates);
//print_r($updates);
$sql = "INSERT INTO `$table` (`".implode("` , `",array_keys($queryEntry))."`) VALUES('".implode("' , '",array_values($queryEntry))."') ON DUPLICATE KEY UPDATE $implodeArray";
if ($conn->query($sql) === TRUE) {
echo "Request Updated";
} else {
echo "Error: ". "<br>" . $conn->error . $sql;
}
}
}
}
?>
Your CSV fields contain spaces, which is not allowed for MySQL field names.
You need to manipulate $key or put it in quotes as is
if (count($queryEntry) > 0) {
foreach ($queryEntry as $key => $value) {
$key='`'.$key.'`';
$value = "'$value'";
$updates[] = "$key = $value";
}
}
I have been retrieving call logs from a cdr and dumping them into a database in MySQL. Of late the database crashes and the was giving me duplicates and junk characters so i modified to the below code.
modified code
$file1 = file_get_contents('file:///C:/Users/thy/Desktop/2011_0419_1531_v3.12R/cdr/'.$newname, FILE_USE_INCLUDE_PATH);
$arr1 = explode("\n", $file1);
foreach ($arr1 as $key => $value) {
$colArray = [];
$colArray['id'] = null;
$colArray['hashkey'] = md5(uniqid(rand(), true));
$split = explode(";", $value);
foreach ($split as $key => $val) {
# code...
$arr = (explode('=', $val));
$field = 'ch';
$item = '0';
$field = $arr[0];
$item = $arr[1];
$item = str_replace(str_split(')(\/'), '', $item);
$colArray[$field] = $item;
}
$columns = implode(', ', array_keys($colArray));
$values = implode(', ', $colArray);
$sql = "INSERT INTO `call`.`logs` (" . $columns . ") VALUES (" . $values . ")";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
}
the above code keeps giving me errors
Error: INSERT INTO call.logs (id, hashkey, ) VALUES (,
797d8782a433b30e196fafc0ce01d09b, )You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near ') VALUES (,
797d8782a433b30e196fafc0ce01d09b, )' at line 1
Original code is below (the one i modified it from)
$file1 = file_get_contents('file:///C:/Users/thy/Desktop/2011_0419_1531_v3.12R/cdr/'.$newname, FILE_USE_INCLUDE_PATH);
$arr1 = explode("\n", $file1);
$data1 = array();
foreach ($arr1 as $key => $value) {
$split = explode(";", $value);
$keys = md5(uniqid(rand(), true));
//insert key to identify call.
$sql = "INSERT INTO `call`.`logs` (`id`, `hashkey`) VALUES (NULL, '{$keys}')";
if ($conn->query($sql) === TRUE) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . $conn->error;
}
foreach ($split as $key => $val) {
# code...
$arr=(explode('=', $val));
$field='ch';
$item='0';
$field=$arr[0];
$item=$arr[1];
echo $field . " --";
echo "<br/>";
echo $item;
//sql
$sql = "UPDATE logs SET {$field}='{$item}' WHERE hashkey='{$keys}'";
if ($conn->query($sql) === TRUE) {
echo "Record updated successfully";
} else {
echo "Error updating record: " . $conn->error;
}
echo "done";
//$conn->close();
} echo "<br/>";
}
?>
<?php
I think the problem is with the generated/devised INSERt statement
INSERT INTO call.logs (" . $columns . ") VALUES (" . $values . ")";
There is an extra comma getting appended without column name?
If id is an autoincremental field. Try this:
INSERT INTO call.logs (id, hashkey) VALUES (default, '797d8782a433b30e196fafc0ce01d09b')
It's far from perfect, but I'm trying to create a function to insert data into a SQL table, using MySQLI. I want to create a generic function, to insert different types of data in different databases. I have the following so far:
/**
* Add data to specified table. Data consist of column name as key, and value.
* Table is a string of the table to insert into.
* #param array $data
* #param string $table
* #return string
*/
private function insert( $data = array(), $table = null ){
foreach( $data as $key => $value ){
// Create arrays of separate keys and values
$keys[] = $key;
$values[] = $value;
// Get type of data
switch( gettype( $value ) ){
case "integer":
$types[] = "i";
break;
case "string":
$types[] = "s";
break;
default:
$types[] = "i";
break;
};
// for each variable, add a questionmark
$vars[] = "?";
}
// Create strings out of the data
$key = implode( ",", $keys );
$var = implode( ",", $vars );
$type = implode( "", $types );
$value = '"' . implode( '\", \"', $values ) . '"';
// prepare SQL statement
// var_dump( $sql ) = 'INSERT INTO table (var1,var2,var3) VALUES (?,?,?)'
$sql = "INSERT INTO " . $table . " (" . $key . ") VALUES (" . $var . ")";
// Prepare SQL insert
// $this->conn = new mysqli($this->server, $this->user, $this->pass, $this->name);
if( ! ( $stmt = $this->conn->prepare( $sql ) ) ) {
return "Preparing failed!: (" . $this->conn->errno . ") " . $this->conn->error;
}
// Bind parameters. THIS IS WHERE THE ISSUE IS!
if( ! $stmt->bind_param( $type, $values ) ) {
return "Binding failed! (" . $stmt->errno . ") " . $stmt->error;;
}
// Execute the statement
if( ! $stmt->execute() ){
return "Executing failed! (" . $stmt->errno . ") " . $stmt->error;;
}
}
The issue is at binding the parameters. I can't find a good way to bind them, as I've got multiple variables with values and keys, but they're all in array format, and bind_param requires a new variable for each
In short, I'm looking for a way to add an array of unspecified length into my SQL (in a secure way, ofcourse).
If you are using php 5.6+, you can use the ... operator to unpack an array.
In your example:
$stmt->bind_param( $type, ...$values )
See example #14 in the manual.
/* Bind parameters. Types: s = string, i = integer, d = double, b = blob */
$a_params = array();
$param_type = '';
$n = count($a_param_type);
for($i = 0; $i < $n; $i++) {
$param_type .= $a_param_type[$i];
}
/* with call_user_func_array, array params must be passed by reference */
$a_params[] = & $param_type;
for($i = 0; $i < $n; $i++) {
/* with call_user_func_array, array params must be passed by reference */
$a_params[] = & $a_bind_params[$i];
}
/* Prepare statement */
$stmt = $conn->prepare($sql);
if($stmt === false) {
trigger_error('Wrong SQL: ' . $sql . ' Error: ' . $conn->errno . ' ' . $conn->error, E_USER_ERROR);
}
/* use call_user_func_array, as $stmt->bind_param('s', $param); does not accept params array */
call_user_func_array(array($stmt, 'bind_param'), $a_params);
/* Execute statement */
$stmt->execute();
/* Fetch result to array */
$res = $stmt->get_result();
while($row = $res->fetch_array(MYSQLI_ASSOC)) {
array_push($a_data, $row);
}
Reference: http://www.pontikis.net/blog/dynamically-bind_param-array-mysqli
I have the following function:
function insert($database, $table, $data_array)
{
# Connect to MySQL server and select database
$mysql_connect = connect_to_database();
mysql_select_db ($database, $mysql_connect);
# Create column and data values for SQL command
foreach ($data_array as $key => $value)
{
$tmp_col[] = $key;
$tmp_dat[] = "'$value'";
}
$columns = join(",", $tmp_col);
$data = join(",", $tmp_dat);
# Create and execute SQL command
$sql = "INSERT INTO ".$table."(".$columns.")VALUES(". $data.");";
$result = mysql_query($sql, $mysql_connect);
# Report SQL error, if one occured, otherwise return result
if(mysql_error($mysql_connect))
{
echo "MySQL Update Error: ".mysql_error($mysql_connect);
$result = "";
}
else
{
return $result;
}
}
The values in php are the following:
$content_table = "p_content";
$insert_array['title'] = $title;
$insert_array['content'] = $content;
$insert_array['url'] = $get_source;
$insert_array['video'] = $video;
$insert_array['date'] = $date;
insert(DATABASE, $content_table, $insert_array);
The result of all this adds a row with id (key, autoimcrement), url, and date. Title, content and video are blank. If I echo title I get the correct result, if i var_dump the title I get string(15)"blablablabla", again correct.
Now if I hand set the $title = "asdf"; it is getting inserted correctly. Same goes for content and video.
table structure
id int(8) unsigned NO PRI NULL auto_increment
title varchar(1000) YES NULL
content longtext YES NULL
video varchar(3000) YES NULL
url varchar(300) YES NULL
date date YES NULL
Try adding quotes to your variables. :-) The reason is that you MYSQL column types are set as VARCHAR. And inserting data requires that you surround your inserts with quotes.
B.T.W. if this is new code I would recommend to switch to the MYSQLI or PDO library.
Try:
function insert($database, $table, $data_array)
{
# Connect to MySQL server and select database
$mysql_connect = connect_to_database();
mysql_select_db($database, $mysql_connect);
$cols = array();
$vals = array();
foreach ($data_array as $key => $value) {
$cols[] = "`" . $key . "`";
if (is_int($value) || is_float($value)) {
$vals[] = $value;
} else {
$vals[] = "'" . mysql_real_escape_string($value) . "'";
}
}
$sql = "INSERT INTO " . $table
. ' (' . implode(', ', $cols) . ') '
. 'VALUES (' . implode(', ', $vals) . ')';
$result = mysql_query($sql, $mysql_connect);
# Report SQL error, if one occured, otherwise return result
if(mysql_error($mysql_connect)) {
echo "MySQL Update Error: " . mysql_error($mysql_connect);
$result = ""; // FIXME should probably return false here
} else {
return $result;
}
}
IMPORTANT
Your code and the above is potentially vulnerable to SQL Injections. Go read about them.
I have this function
function updateDbRecord($db, $table, $carry, $carryUrl) {
mysql_select_db($db) or die("Could not select database. " . mysql_error());
$resultInsert = mysql_query("SHOW COLUMNS FROM " . $table . " WHERE Field NOT IN ('id')");
$fieldnames=array();
if (mysql_num_rows($resultInsert) > 0) {
while ($row = mysql_fetch_array($resultInsert)) {
$fieldnames[] = $row['Field'];
$arr = array_intersect_key( $_POST, array_flip($fieldnames) ); #check if value is null otherwise do not INSERT
}
}
$set = "";
foreach($arr as $key => $v) {
$val = is_numeric($v) ? $v : "'" . $v . "'";
$set .= $key . '=' . $val . ', ';
}
$sql = sprintf("UPDATE %s SET %s WHERE id='%s'", $table, $set, $_POST['id']);
mysql_query($sql);
if ($carry == 'yes') {
redirect($carryUrl.'?id='.$_REQUEST['id']);
} else { echo "Done!"; }
echo $sql;
}
It outputs for example: UPDATE projects SET project_name='123', project_bold='123', project_content='123', WHERE id='12'
The last comma before where is preventing it from working. Is there a way of avoiding this? Im aware of the function implode, however I am not sure how to employ it in this situation.
Yes,
$sql = substr($sql,'',-1);
I would use
$sql = rtrim($sql, ',');
Either that or instead of appending to a string, append to an array and use implode.
function updateDbRecord($db, $table, $carry, $carryUrl) {
mysql_select_db($db) or die("Could not select database. " . mysql_error());
$resultInsert = mysql_query("SHOW COLUMNS FROM " . $table . " WHERE Field NOT IN ('id')");
$fieldnames=array();
if (mysql_num_rows($resultInsert) > 0) {
while ($row = mysql_fetch_array($resultInsert)) {
$fieldnames[] = $row['Field'];
$array = array_intersect_key( $_POST, array_flip($fieldnames) ); #check if value is null otherwise do not INSERT
}
}
foreach ($array as $key => $value) {
$value = mysql_real_escape_string($value); // this is dedicated to #Jon
$value = "'$value'";
$updates[] = "$key = $value";
}
$implodeArray = implode(', ', $updates);
$sql = sprintf("UPDATE %s SET %s WHERE id='%s'", $table, $implodeArray, $_POST['id']);
mysql_query($sql);