I am trying to create functions to run mysql queries
How would I do things like insert queries. I was thinking
function insert_query ($table,$cols,$values)
{
$sql="insert into $table ($cols) values ($values) "; ...etc
}
With the rest of the query code in the function. But how would I add multiple columns and values?
Should I make $cols and $values An array inside the function?
This is a function of my Database Class.
public function insert($table,$values){
$fieldNames = "";
$fieldValues = "";
foreach($values as $key => $value){
$fieldNames .= "$key,";
$fieldValues .= "$value,";
}
$fieldNames = substr($fieldNames,0,-1);
$fieldValues = substr($fieldValues,0,-1);
$sql = "INSERT INTO $table($fieldNames) VALUES ($fieldValues)";
$this->newConnection();
$result = $this->mysqli->query($sql);
$this->closeConnection();
return $result;
}
Here is what I'm using. Pass field name and Value as Array key and value. $lsQry is an array of field name & value pair
function insert_record($table,$lsQry)
{
$fields_str = implode(',',array_keys($lsQry));
$data_str = implode("','",$lsQry);
$data_str = "'" . implode("','", $lsQry) . "'";
$lsQry = "INSERT INTO $table($fields_str) VALUES($data_str)";
$rs = mysql_query($lsQry);
if(isset($rs))
return true;
else
return false;
}
Please Note
For this function, do consider that function is getting an array of fields name and value pair. It is assumed that htmlentities() and addslashes() or any escaping functions are already applied while creating array from post/get values.
Easy, just us arrays
function insert_query ($table,$cols,$values){
$sql="insert into $table (".implode(",", $cols).") values (".implode("','", $values)."'') ";
}
insert_query('exampleTable', array('column_1', 'column_2', 'column_3'), array('a', 123, 'c') );
The implode for the values requires a small sidenote:
Strings always required being wrapped in quotes. Therefor I made the implode with single qoutes. The downside to this is that integets (like 123 in the example) also get wrapped.
This is not a big problem, but if you want you could replace the implode with a foreach that uses is_numeric to check wether it should be wrapped in quotes.
IMPORTANT SECURITY NOTE:
In this example I havent used proper seurity, like escape_string(), this has to be added! I've not added thos to keep the examples smaller
Another approach could be key/value-usage of an array:
function insert_query ($table,$data){
$cols = array_keys($data);
$values = array_values($data);
$sql = "insert into $table (".implode(",", $cols).") values (".implode("','", $values)."'') ";
}
$info = array('column_1'=>'a', 'column_2'=>123, 'column_3'=>'c');
$info['example'] = 'Easy method to add more key/values';
insert_query('tableName', $info);
In this case you can use functions similar to codeigniter functions.
Use arrays to store table name and columns or values
For example:
$data = array('hid' => $hcsdate,'start_date' => $sdate, 'end_date' => $edate, 'title' =>$title);
Here $data holds the column name and corresponding values.
And pass this $data to another functions for insert, update etc..
Related
How to declare php variables that will consist the mysql query columns and values properly? The thing is obviously in quotations, I tried several combination witn no success.
This is the query declared in php:
$query = "INSERT INTO table1(pt1, pt2, pt3, pt4, pt5, pt6, pt7, pt8) VALUES ('$q[1]','$q[2]','$q[3]','$q[4]','$q[5]','$q[6]','$q[7]','$q[8]')";
This is my wrong variables in php: (two wrong approaches)
$pt_all = pt1, pt2, pt3, pt4, pt5, pt6, pt7, pt8;
for($i=1;$i<9;$i++) {
$q_all .= '$q[$i]',;
}
This is made in order to place the holder variables into the sql query in php:
$query = "INSERT INTO table1($pt_all) VALUES ($q_all)";
And make it easier and shorter. Is there maybe other better technique?
FIrst of all, do not use mysql_* functions, since those are deprecated. Use mysqli_* or PDO. That said, you probably need something like this:
$fields = "pt".join(", pt",array_keys($q)); //pt1, pt2, pt3, ..
$values = "'".join("','",array_values($q))."'"; //values
echo "INSERT INTO ({$fields}) VALUES ({$values})";
Obviously, you will need to adjust this to fit your requirements, but this should give you good sense on array manipulation.
start with an associative array. As an example, I'll use fruit..
$array = array("banana" => "yellow", "apple" => "red", "kiwi" => "green");
Go through and make the strings "banana, apple, kiwi" and "yellow, red, green"
$fields = array();
$values = array();
foreach($array as $key => $val){
$fields[] = $key;
$values[] = $val;
}
Now concatenate into a string to be used as SQL
$query = 'INSERT INTO table1("'.implode('", "', $fields).'") ';
$query .= 'VALUES ("'.implode('", "', $values).'");';
echo $query; // "INSERT INTO table1("banana", "apple", "kiwi") VALUES ("yellow", "red", "green");
Hope that's what you're looking for.
I have a single row in a PHP array and I would like to insert that row into mySQL database by imploding the keys and values into a string and using those strings in my Insert statement as follows:
$fields = implode(",", array_keys($_POST));
$newdata = implode(",", $_POST);
$query = (
"INSERT INTO Food_entered ($fields)
VALUES ('$newdata')");
$result = mysqli_query($dbc, $query);
I am able to create the strings, and they appear to be in proper form ,however the row is not being inserted. Seems like a simple approach but not sure what I'm missing.
As #Barmar has pointed out, the problem is your quotes are on the outside of your variable.
I think this may be an easier to follow/cleaner way of fixing this however than the method Barmar posted:
$newdata = "'" . implode("','", $_POST) . "'";
You need to quote each value, not the entire list of values:
$fields = implode(",", array_keys($_POST));
$newdata = implode(",", array_map(function($x) use ($dbc) {
return "'" . $dbc->real_escape_string($x) . "'";
}, $_POST));
$query = (
"INSERT INTO Food_entered ($fields)
VALUES ($newdata)");
$result = mysqli_query($dbc, $query);
I'm updating my mysql functions to use PDO. I've got the hang of most of it but struggling with an update function to update multiple fields in a records.
The function is in a class and I'm trying to keep it flexible to reuse with other tables etc.
Here's my function so far:
public function dbUpdateRecord($table, $values, $where)
{
$this->conn();
$fieldNames = array_keys($values);
var_dump($fieldNames);
$set="";
foreach ($fieldNames as $field) {
$set .= " $field = :$field,";
}
//strip last comma
$set = substr($set, 0, strlen($set) - 1);
$wherefields = array_keys($where);
$whereCondition="";
foreach ($wherefields as $field) {
$whereCondition .= " $field = :$field AND";
}
//strip last AND
$whereCondition = substr($whereCondition, 0, strlen($whereCondition) - 3);
$sql = "UPDATE $table SET $set WHERE $whereCondition";
var_dump($sql);
$stmt = $this->db->prepare($sql);
foreach ($values as $field => $value) {
$stmt->bindParam(':$field', $value);
}
foreach ($where as $field => $value) {
$stmt->bindParam(':$field', $value);
}
return $stmt->execute();
}
The problem is all the fields in the record are being updated by the id of the record which is contained in the $where variable.
$values contains an array of (fieldname=>value).
I think the problem lies around the bindparam and trying to make the fieldnames/placeholders dynamic
I thought I needed to use bindparam as best practice - is this correct or can I just go to execute()?
ANy help appreciated
You are lifting this log from the wrong end.
Your approach is potentially insecure yet inflexible at the same time.
What if you need a JOIN based update? What if you need OR in the WHERE (or IN)?
What you really need is a conventional query where only SET statement values have to be generated.
So, you need a helper function to produce such a statement out of data array, returning both correctly formatted SET statement and array with variables to be bound:
$fields = array("name","email");
$sql = "UPDATE users SET ".pdoSet($fields,$values,$data)." WHERE id = :id"
// now we have $values array to be passed into query
$stmt = $dbh->prepare();
$values["id"] = $_POST['id'];
$stmt->execute($values);
With this code you'll be able to make updates for the arbitrary query. And make it safe.
As a further step you will need to start using type-hinted placeholders, to make whole code like this:
$db->query("UPDATE ?n SET ?u WHERE id IN(?a)",$table,$data,$ids);
Getting back to your problem, ONe is right - you need to use bindValue instead of bindParam (as it mentioned in the tag wiki)
I believe the problem is that you are using a foreach to bind the params to the query. Why is this a problem? Because when you bind a variable, you bind a reference to that variable, so if that variable changes, the value in the query will change too. Since you are using a foreach loop, the value for all the parameters will be the latest value that the variable $value referenced to.
You can read more about this foreach behavior here and here. So basically, you have 2 options:
Use a reference to the actual value, instead of using a reference to $value (which can change its value in the next iteration)
Use an auxiliar variable that references another memory position that won't change during the loop
I came here because I was having the same problems, and YCS's solution was what I needed. For anyone else in this situation, here's the helper function I ended up using:
function commit_table($record_id, $changed_values)
{
$db = open_database();
$query = 'UPDATE table SET ';
$query_arguments = array();
$is_first = TRUE;
foreach(array_keys($changed_values) as $key)
{
if($is_first)
{
$is_first = FALSE;
}
else
{
$query .= ', ';
}
$value_var = ':' . $key;
$query .= $key;
$query .= ' = ';
$query .= $value_var;
$query_arguments[$value_var] = $changed_values[$key];
}
$query .= ' WHERE record_id = :record_id';
$query_arguments[':record_id'] = $record_id;
$stmt = $db->prepare($query);
$stmt->execute($query_arguments);
close_database($db);
}
I have an odd issue. I have one PHP script that is used for multiple forms. It takes in all the requests and then puts the data in the appropriate table in a database. As it stands, it looks like this:
$fields = "";
$values = "";
foreach ($_REQUEST as $key=>$value)
{
$key = str_replace(":","",$key);
$fields .= "$key,";
$values .= "'$value ',";
}
//remove the ending comma from $fields and $values
$fields = substr($fields, 0, -1);
$values = substr($values, 0, -1);
$sql = "INSERT INTO " . $survey . " ($fields) VALUES ($values)";
mysql_query($sql)
or die(mysql_error());
And this works well. The problem is, there are some forms with checkboxes (i.e. a person can select more than one option). If I were to use a get method, the query string would look like:
www.somesite.php?V9=1&V9=2&V9=4
With the current script, only 4 is taken, since it was the last value.
Now, I know a reason this is happening is because of the way the name of the checkbox is defined in the form. It says name="V9" instead of name="V9[]" However, I cannot change the forms. They are generated by software, and the idea is that any user can create an HTML form, point it to the script and their information will be recorded in a table. So, changing the HTML is not an option for me.
So, I need a way to detect whether a key has been submitted, and if so, append the value. I tried this:
$fields = "";
$values = "";
foreach ($_REQUEST as $key=>$value)
{
//check to see if the key has already been used for multi-choice questions
$key_check = strpos($fields, "$key,");
if($key_check !== false){
$values = substr($values, 0, -2);
$values .= "\;$value ',";
}else{
$key = str_replace(":","",$key);
$fields .= "$key,";
$values .= "'$value ',";
}
}
//remove the ending comma from $fields and $values
$fields = substr($fields, 0, -1);
$values = substr($values, 0, -1);
$sql = "INSERT INTO " . $survey . " ($fields) VALUES ($values)";
mysql_query($sql)
or die(mysql_error());
But I get the same results. $key_check never seems to be valid. Any help would be appreciated. Someone here has a working ASP version that does a similar thing, but it emails the data, rather than saving it in a DB.
You could try this if you are using $_GET:
function convertInput($qs=""){
$rtn = "";
$holdingArray = array();
if(trim($qs)!=""){
$vars = explode("&", $qs);
foreach($vars as $val){
$kv = explode("=", $val);
if(count($kv)==2){
if(isset($holdingArray[$kv[0]])){
$holdingArray[$kv[0]] .= "," . $kv[1];
}else{
$holdingArray[$kv[0]] = $kv[1];
}
}
}
$rtn = $holdingArray;
}
return $rtn;
}
print_r(convertInput($_SERVER["QUERY_STRING"]));
Try this:
$keys = array();
$values = array();
foreach ($_POST as $key=>$value){ //So, it will loop through the form data
if (!array_search($key, $keys)){ //Checking to see if the key has been used yet
$keys[] = $key;
} else {
$values[$key][] = array($key=>$value);
}
}
This should build an array of your FORM SELECT choices built from the same form, provided that the data is preserved from the browser and is logically eliminated (when accessed as an array, only the last element of the same associated key is preserved, but otherwise the data is there to be had) instead of procedurally eliminated.
I have no idea if this works, because this is building from a theory, not from any kind of documentation or code expertise.
PHP parses the request string (query string or x-www-form-urlencoded) into $_GET, $_POST, and $_REQUEST arrays using the rule that when the same key is present multiple times, later key values overwrite previous ones. So if you cannot change the key names on the forms to append [] like PHP expects, you have to access the raw query string and parse it by hand.
Note that repeating the key name without [] creates ambiguity as to whether a query string key is meant to be a scalar or an array. You will have to decide how to resolve that. E.g., you can use a server-defined hardcoded list of names with array values.
This is how you could process a query string into a list of values:
function paramlist($querystring, $raw=false) {
$plist = array();
$decoder = ($raw) ? 'rawurldecode' : 'urldecode';
$pairs = explode('&', $querystring);
foreach ($pairs as $pair) {
$plist[] = array_map($decoder, explode('=', $pair, 2));
}
return $plist;
}
If you have a query string like a=1&b=2&a=3, this function will return array(array('a','1'),array('b','2'),array('a','3')). You can then turn that to an associative array using any logic you want.
However, you need to get the query or form string in the first place:
if ($_SERVER['REQUEST_METHOD']==='POST'
and $_SERVER['CONTENT_TYPE']==='application/x-www-form-urlencoded') {
// form body
$qs = trim(file_get_contents('php://input'));
} else {
// url query string
$qs = $_SERVER['QUERY_STRING'];
}
Note that if you send a form encoded with multipart/form-data, PHP will not let you access the raw request (even php://input will not work), so in this case there is no way to reprocess the form variables. Sorry!
i have the following code part in one of my classes:
$l = new Location();
$result = $l->getLocIdsbyCity($city); // returns csv
$ids = explode(',', $result);
$where = 'LOC_ID = ' . $ids[0];
unset($ids[0]);
foreach ($ids as $id) {
$where .= ' OR LOC_ID = ' . $id;
}
$select->where($where);
Is there an more "elegant" way to build the select stmt? I need all records with one of the provided ids..
Assuming your csv is injection safe (contains trusted values and no user-provided input):
$l = new Location();
$result = $l->getLocIdsbyCity($city); // returns csv
$where = "LOC_ID IN ($result)";
$select->where($where);
If it's not, you should explode it, mysql_real_escape_string each value and implode back.
You can use the in operator to form a condition like:
where LOC_ID in (1,2,3,4,5)
If you are sure that $result can't contain anything harmful, you should be able to use it directly without having to split it and loop.