php special characters inserting into SQL Server 2005 - php

I currently have this query that insert data into SQL server. But as the question can contain special characters that include ' which is single quote, it skips my query and did not insert into database.
Any idea what would work for me to be able to insert single quote data into SQL server database?
Example: Trainer's Performance.
Here's my code for inserting data into database:
$sql_array = array();
foreach ($_POST['question'] as $row => $name) {
$question = $name;
$qnsNo = $_POST['qnsNo'][$row];
$input = $_POST['input'][$row];
$options = $_POST['options'][$row];
$others = $_POST['others'][$row];
$compulsory = isset($_POST['compulsory'][$row]) ? $_POST['compulsory'][$row] : "";
$idQuery = "SELECT max(surveyID) FROM scSurveyForm WHERE createBy = '$createBy' AND writeUp = '$writeUp'";
$idResult = sqlsrv_query($conn, $idQuery);
$rows = sqlsrv_fetch_array($idResult);
$lastID = $rows[0];
$sql_array[] = "('" . $question . "'," . $lastID . ",'" . $qnsNo . "','" . $input . "','" . $options . "','" . $others . "','" . $compulsory . "')";
if (!empty($question)) {
$query_single = "INSERT INTO scFormLayout(question, surveyID, qnsNo, input, options, others, compulsory)
VALUES" . implode(', ', $sql_array);
//echo $query_single.'<br/>';
$status = sqlsrv_query($conn, $query_single);
$sql_array = array();

Related

import csv data with single quote

I have a php code to import csv data into mysql. It works fine. The only problem is that it doesn't work if there is a single quote in the data. How can I solve this ?
$conn = mysqli_connect("localhost", "U16******", "***********", "DB16******");
if (isset($_POST["import"])) {
$fileName = $_FILES["file"]["tmp_name"];
if ($_FILES["file"]["size"] > 0) {
$file = fopen($fileName, "r");
fgetcsv($file, 10000, ",");
while (($column = fgetcsv($file, 10000, ",")) !== false) {
$sqlInsert = "INSERT into tblrabobank (IBAN_BBAN,Munt,BIC,Volgnr,Datum,Rentedatum,Bedrag,Saldo_na_rtn,Tegenrekening_IBAN_BBAN,Naam_tegenpartij,Naam_uiteindelijke_partij,Naam_initierende_partij,BIC_tegenpartij,Code,Batch_ID,Transactiereferentie,Machtigingskenmerk,Incassant_ID,Betalingskenmerk,Omschrijving1,Omschrijving2,Omschrijving3,Reden_retour,Oorspr_bedrag,Oorspr_munt,Koers)
values ('" . $column[0] . "','" . $column[1] . "','" . $column[2] . "','" . $column[3] . "','" . $column[4] . "','" . $column[5] . "','" . $column[6] . "','" . $column[7] . "','" . $column[8] . "','" . $column[9] . "','" . $column[10] . "','" . $column[11] . "','" . $column[12] . "','" . $column[13] . "','" . $column[14] . "','" . $column[15] . "','" . $column[16] . "','" . $column[17] . "','" . $column[18] . "','" . $column[19] . "','" . $column[20] . "','" . $column[21] . "','" . $column[22] . "','" . $column[23] . "','" . $column[24] . "','" . $column[25] . "')";
$result = mysqli_query($conn, $sqlInsert);
if (!empty($result)) {
$type = "success";
$message = "CSV Data geimporteerd in de database";
} else {
$type = "error";
$message = "Probleem met importeren CSV Data";
}
}
}
}

you should use PDO extension to mysql together with prepared statement rather than concatenation to build the query, that will handle the single quote issue and will protect your code against SQL injections.
Something like this :
$stmt = $dbh->prepare("INSERT INTO tblrabobank (IBAN_BBAN,Munt,BIC,Volgnr,Datum,Rentedatum,Bedrag,Saldo_na_rtn,Tegenrekening_IBAN_BBAN,Naam_tegenpartij,Naam_uiteindelijke_partij,Naam_initierende_partij,BIC_tegenpartij,Code,Batch_ID,Transactiereferentie,Machtigingskenmerk,Incassant_ID,Betalingskenmerk,Omschrijving1,Omschrijving2,Omschrijving3,Reden_retour,Oorspr_bedrag,Oorspr_munt,Koers) VALUES (:iban, :munt, ...........)");
$stmt->bindParam(':iban', $column[0]);
$stmt->bindParam(':munt', $column[1]);
[.....]
$stmt->execute();
check this page for more details https://www.php.net/manual/en/pdo.prepared-statements.php

You can try something like this..
<?php
$dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);
if (isset($_POST["import"])) {
$fileName = $_FILES["file"]["tmp_name"];
if ($_FILES["file"]["size"] > 0) {
$file = fopen($fileName, "r");
fgetcsv($file, 10000, ",");
$dataToInsert = [];
$columns = explode(',','IBAN_BBAN,Munt,BIC,Volgnr,Datum,Rentedatum,Bedrag,Saldo_na_rtn,Tegenrekening_IBAN_BBAN,Naam_tegenpartij,Naam_uiteindelijke_partij,Naam_initierende_partij,BIC_tegenpartij,Code,Batch_ID,Transactiereferentie,Machtigingskenmerk,Incassant_ID,Betalingskenmerk,Omschrijving1,Omschrijving2,Omschrijving3,Reden_retour,Oorspr_bedrag,Oorspr_munt,Koers');
while (($column = fgetcsv($file, 10000, ",")) !== FALSE) {
$sql = "INSERT INTO tblrabobank (".implode(',', $columns).") VALUES (";
foreach($column as $key => $value){
$dataToInsert[":".$columns[$key]] = $value ?? null;
}
$sql .= "(".implode(',',array_keys($dataToInsert)).")";
$stmt = $dbh->prepare($sql);
foreach($dataToInsert as $key => $value){
$stmt->bindParam($key, $value);
}
if($stmt->execute()){
$type = "success";
$message = "CSV Data geimporteerd in de database";
} else {
$type = "error";
$message = "Probleem met importeren CSV Data";
}
}
$stmt->execute();
}
}
?>
In the above code snippet,
you can make an array of the given columns, and attach each value to a 2D array with keys made of the columns and their corresponding values from csv.
The append each column to the sql statement, using array_keys and bing each value.
This is scalable for small dataset but with huge number of columns.
For a large number of data set, sql queries will be multiple. You should consider in mind that too.
Source:
https://www.php.net/manual/en/pdostatement.execute.php (execute statement of PDO)
https://www.php.net/manual/en/pdostatement.bindparam.php (binding a parameter)
https://www.php.net/manual/en/pdo.connections.php (how to make and use connections in PDO)

Problems with php pg_query

I have a Problem with PHP. I want to make an table update with PHP.
$name = pg_escape_string($_POST['NAME']);
$place = pg_escape_string($_POST['PLACE']);
$zip = pg_escape_string($_POST['ZIP']);
$nation = pg_escape_string($_POST['NATION']);
$name = "'" . $name . "'";
$place = "'" . $place . "'";
$zip = "'" . $zip . "'";
$nation = "'" . $nation . "'";
$club_id = "'" . $club_id . "'";
$result = pg_query($db_connect, "UPDATE club SET name_c = $name, place_c = $place, zip_c = $zip, nation_c = $nation WHERE id_c = $club_id;");
Why does it not work?
Thanks!

You do not have club_id defined in your code. And to avoid any problems and cleanup code I would do:
$club_id = 1;
$dbconn = pg_connect("connectionstring");
$sql = 'UPDATE club SET name_c = $1, place_c = $2, zip_c = $3, nation_c = $4 WHERE id_c = $5;';
$result = pg_query_params($dbconn, $sql, array(
$_POST['NAME'],
$_POST['PLACE'],
$_POST['ZIP'],
$_POST['NATION'],
$club_id
));
// Do what you need
It'll escape values for you so no need to handle strange cases.
http://php.net/manual/en/function.pg-query-params.php

does binding param strip out underscores?

I used the following function:
function update_value($table, $field, $value, $type, $where1, $value1, $where2=NULL, $value2=NULL, $where3=NULL, $value3=NULL) {
$rows = array();
global $conn;
connect();
$value1 = "'" . $value1 . "'";
$sql = "UPDATE $table SET $field =? WHERE $where1 = $value1";
$bind1 = "'" . "$type" . "'";
if ($where2 != NULL) {
$value2 = "'" . $value2 . "'";
$sql .= " AND $where2 = $value2";
}
if ($where3 != NULL) {
$value3 = "'" . $value3 . "'";
$sql .= " AND $where3 = $value3";
}
$stmt = $conn->prepare($sql);
$stmt->bind_param($type, $value);
$stmt->execute();
$stmt->close();
$conn->close();
}
...to update the username field of a table (making sure it's a string before updating via the above function). I tried updating with a string followed by an underscore but when it showed up in the table the underscore had disappeared.
I'm new to binding parameters, is there certain things it strips out? If so I'd like to know exactly what so I can use preg_match to catch them before it updates and alert the users.

The way you manipulate with data is very dangerous.
But just to fix some potential issues keeping your logic you should surround all potential table and column names with backticks and prepare values with mysqli_real_escape_string():
$val1 = "'" . mysqli_real_escape_string($value1) . "'";
$sql = "UPDATE `$table` SET `$field` = ? WHERE `$where1` = $val1";
if (!empty($where2)) {
$value2 = "'" . mysqli_real_escape_string($value2) . "'";
$sql .= " AND `$where2` = $value2";
}
if (!empty($where3)) {
$value3 = "'" . mysqli_real_escape_string($value3) . "'";
$sql .= " AND `$where3` = $value3";
}

Mutliple querystring parameters to mysql query

I originally had this working:
url: http://server/blah.php?FacilityCode=FT
$facilitycode = mysql_real_escape_string($_GET["FacilityCode"]);
$sql = "SELECT ..." .
"FROM ..." .
"WHERE ..." .
"AND ('" . $facilitycode . "' = '' OR Facility.FacilityCode = '". $facilitycode . "')";
$result = mysql_query($sql);
But I want to change this so that people can submit multiple values in the query strying somehow, ie: http://server/blah.php?FacilityCode=FT,CC,DD,EE
I tried changing the query to an "IN" clause instead of an "equals" but I'm not sure how to get the ' marks around each element.

Use implode() function for IN (...).
$a = array('AB', 'CD', 'EF', 'ZE');
echo "field IN ('" . implode("', '", $a) . "')";
... will output:
field IN ('AB', 'CD', 'EF', 'ZE')
+escape every option you get.

$facilitycode = mysql_real_escape_string($_GET["FacilityCode"]);
$array=explode(',',$facilitycode);
foreach ($array as $a){$output.="'$a',";}
$clause=substr($output,0,-1);

If your trying to create a string which looks like this: 'AB', 'CD', 'EF', 'ZE'
Try this before its placed inside the query:
$facilitycode = preg_replace('/([^,]+)/', '\'$1\'', $facilitycode);

I wrote this based on your query, but still I dont get this part of query "AND ('" . $facilitycode . "' = ''", anyway you need to check if $_GET data have "," and if does explode that variable by "," so that you can add an OR clausule for everything that was separated by "," in $_GET data.
After that just form your query by doing a foreach for every element in exploded array like I done below:
<?php
$facilitycode = $_GET["FacilityCode"];
$facility_number_chk = strpos($facilitycode, ",");
if ($facility_number_chk > -1) {
$facilitycode = explode(",", $facilitycode);
$sql = "SELECT ..." .
"FROM ..." .
"WHERE ..." .
"AND ('" . $facilitycode . "' = ''";
foreach($facilitycode as $facode) {
$facode = mysql_real_escape_string($facode);
$sql .= " OR Facility.FacilityCode = '". $facode . "'";
}
$sql .= "')";
}
else {
$facilitycode = mysql_real_escape_string($facilitycode);
$sql = "SELECT ..." .
"FROM ..." .
"WHERE ..." .
"AND ('" . $facilitycode . "' = '' OR Facility.FacilityCode = '". $facilitycode . "')";
}
$result = mysql_query($sql);
And if there is only one element in $_GET data just do an else like I done with your regular query.

I ended up using a combination of a few of the answers. Basically I exploded on the ",", then did a foreach to add the ' marks and call escape_string, and then imploded it back.
$facilitycodes = $_GET["FacilityCode"];
if ($facilitycodes == '') {
$additionalfilter = '';
}
else {
$facilitycodearray = explode(",", $facilitycodes);
foreach($facilitycodearray as &$facilitycode) {
$facilitycode = "'" . mysql_real_escape_string($facilitycode) . "'";
}
$facilitycodesformatted = implode(",", $facilitycodearray);
$additionalfilter = " AND Facility.FacilityCode IN (" . $facilitycodesformatted . ")";
}
$sql = "SELECT ..." .
"FROM ..." .
"WHERE ..." .
$additionalfilter;

Looping and file_get_contents in PHP

I have written a page that will scan a site and then extract certain code from the source. That part is working successfully, however I want to run this over multiple pages and dump the details into a database. I am stuggling to get the loop working, this is what I currently have:
date_default_timezone_set("australia/sydney");
$host = 'http://www.tabonline.com.au/';
$day = date(d);
$month = date(m);
$year = date(Y);
$slash = '/';
$mtgraces = '/mtgraces.html';
//Gallops Meetings on Todays racing page
$content = file_get_contents($host . $year . "/". $month . "/" . $day . $mtgraces);
preg_match_all('#<a[^<>]+href\s*=\s*[\'"](.R[0-9]+.html*)[\'"]#i', $content, $matches);
foreach ($matches[1] as $url) $links[] = "$host$year$slash$month$slash$day$slash$url";
//get the runners from each page
for($c=0; $c<count($links); $c++)
$racepage = file_get_contents($links[$i]);
preg_match_all('#<td align="right" height="18"><font color="\#ffffff">[0-9]{1,2}</font></td>#', $racepage, $number);
preg_match_all('#<font color="\#00ffff">[0-9]{1,3}</font>#', $racepage, $rating);
preg_match_all('#<B>[\w]+([\s][A-Z]+)?</B>#', $racepage, $location);
preg_match_all('#<B>[\w]+\s[0-9]+</B>#', $racepage, $locationcode);
//strip tags for storage in DB
$number_data = implode(",", $number[0]);
$dbnumber = strip_tags($number_data);
$final_number = explode(",", $dbnumber);
$rating_data = implode(",", $rating[0]);
$dbrating = strip_tags($rating_data);
$final_rating = explode(",", $dbrating);
$location_data = implode(",", $location[0]);
$dblocation = strip_tags($location_data);
$final_location = explode(",", $dblocation);
$locationcode_data = implode(",", $locationcode[0]);
$dblocationcode = strip_tags($locationcode_data);
$final_locationcode = explode(",", $dblocationcode);
//Insert into database
$data = array();
for($i=0; $i<count($final_number); $i++)
{
$data[] = "('" . $final_location[0] . "', '" . $final_locationcode[0] . "', '" . $final_number[$i] . "', '" . $final_rating[$i] . "')";
}
if(count($queries) == 0)
{
# Nothing passed
# exit
}
$query = "insert into ratings(location, location_code, tab_no, rating) values " . implode(", ", $data);
$hostname = "%hostname%"; // eg. mysql.yourdomain.com (unique)
$username = "%username%"; // the username specified when setting-up the database
$password = "%password"; // the password specified when setting-up the database
$database = "%database"; // the database name chosen when setting-up the database (unique)
mysql_connect($hostname,$username,$password);
mysql_select_db($database) or die("Unable to select database");
mysql_query($query) OR die(mysql_error())
At the moment the output for this is giving me the correct contents of the last page in the list of sites (the $links variable). Ultimately I want it to loop through the whole $links variable and then import that data, using the $query variable, into a database so I can do further analysis on it.
I hope this makes sense and you can see the error in my ways.

Hmm... There are a few issues in here...
for($c=0; $c<count($links); $c++)
This loop is executing just the next line:
$racepage = file_get_contents($links[$i]);
However, $i isn't defined, I suspect you want $c. Also, you need to place some braces around various parts... Now, this is untested, but I think you want something like:
date_default_timezone_set("australia/sydney");
$host = 'http://www.tabonline.com.au/';
$day = date(d);
$month = date(m);
$year = date(Y);
$slash = '/';
$mtgraces = '/mtgraces.html';
//Gallops Meetings on Todays racing page
$content = file_get_contents($host . $year . "/". $month . "/" . $day . $mtgraces);
preg_match_all('#<a[^<>]+href\s*=\s*[\'"](.R[0-9]+.html*)[\'"]#i', $content, $matches);
foreach ($matches[1] as $url) $links[] = "$host$year$slash$month$slash$day$slash$url";
//get the runners from each page
$final_number = array();
$final_rating = array();
$final_location = array();
$final_locationcode = array();
for($c=0; $c<count($links); $c++)
{
$racepage = file_get_contents($links[$c]);
preg_match_all('#<td align="right" height="18"><font color="\#ffffff">[0-9]{1,2}</font></td>#', $racepage, $number);
preg_match_all('#<font color="\#00ffff">[0-9]{1,3}</font>#', $racepage, $rating);
preg_match_all('#<B>[\w]+([\s][A-Z]+)?</B>#', $racepage, $location);
preg_match_all('#<B>[\w]+\s[0-9]+</B>#', $racepage, $locationcode);
//strip tags for storage in DB
$number_data = implode(",", $number[0]);
$dbnumber = strip_tags($number_data);
$final_number[] = explode(",", $dbnumber);
$rating_data = implode(",", $rating[0]);
$dbrating = strip_tags($rating_data);
$final_rating[] = explode(",", $dbrating);
$location_data = implode(",", $location[0]);
$dblocation = strip_tags($location_data);
$final_location[] = explode(",", $dblocation);
$locationcode_data = implode(",", $locationcode[0]);
$dblocationcode = strip_tags($locationcode_data);
$final_locationcode[] = explode(",", $dblocationcode);
}
//Insert into database
$data = array();
for($i=0; $i<count($final_number); $i++)
$data[] = "('" . $final_location[0] . "', '" . $final_locationcode[0] . "', '" . $final_number[$i] . "', '" . $final_rating[$i] . "')";
if(count($queries) != 0)
{
$query = "insert into ratings(location, location_code, tab_no, rating) values " . implode(", ", $data);
$hostname = "%hostname%"; // eg. mysql.yourdomain.com (unique)
$username = "%username%"; // the username specified when setting-up the database
$password = "%password"; // the password specified when setting-up the database
$database = "%database"; // the database name chosen when setting-up the database (unique)
mysql_connect($hostname,$username,$password);
mysql_select_db($database) or die("Unable to select database");
mysql_query($query) OR die(mysql_error())
}

$final_number is something you get from a racepage link right? You are using it to as $i<count($final_number). Instead i think you should use $i<count($links) there as what you want to insert is a row for each link. What you can do is move the:
$data[] = "('" . $final_location[0] . "', '" . $final_locationcode[0] . "', '" . $final_number[$i] . "', '" . $final_rating[$i] . "')";
...line to the bottom of for($c=0; $c<count($links); $c++) line which would make you code look like this starting from that point, (notice $data=array() is defined before the loop):
$data = array();
for($c=0; $c<count($links); $c++)
{
$racepage = file_get_contents($links[$c]);
preg_match_all('#<td align="right" height="18"><font color="\#ffffff">[0-9]{1,2}</font></td>#', $racepage, $number);
preg_match_all('#<font color="\#00ffff">[0-9]{1,3}</font>#', $racepage, $rating);
preg_match_all('#<B>[\w]+([\s][A-Z]+)?</B>#', $racepage, $location);
preg_match_all('#<B>[\w]+\s[0-9]+</B>#', $racepage, $locationcode);
//strip tags for storage in DB
$number_data = implode(",", $number[0]);
$dbnumber = strip_tags($number_data);
$final_number[] = explode(",", $dbnumber);
$rating_data = implode(",", $rating[0]);
$dbrating = strip_tags($rating_data);
$final_rating[] = explode(",", $dbrating);
$location_data = implode(",", $location[0]);
$dblocation = strip_tags($location_data);
$final_location[] = explode(",", $dblocation);
$locationcode_data = implode(",", $locationcode[0]);
$dblocationcode = strip_tags($locationcode_data);
$final_locationcode[] = explode(",", $dblocationcode);
$data[] = "('" . $final_location[0] . "', '" . $final_locationcode[0] . "', '" . $final_number[0] . "', '" . $final_rating[0] . "')";
}
if(count($queries) != 0)
{
$query = "insert into ratings(location, location_code, tab_no, rating) values " . implode(", ", $data);
$hostname = "%hostname%"; // eg. mysql.yourdomain.com (unique)
$username = "%username%"; // the username specified when setting-up the database
$password = "%password"; // the password specified when setting-up the database
$database = "%database"; // the database name chosen when setting-up the database (unique)
mysql_connect($hostname,$username,$password);
mysql_select_db($database) or die("Unable to select database");
mysql_query($query) OR die(mysql_error())
}
I think there are some problems with this code still.
Edit:I also noticed that on this line
$number_data = implode(",", $number[0]);
Wouldn't $number[0] be a string, it couldn't be an array because $number is an array of matched strings so $number[0] would be the whole matched string. This would apply to 'number_data', 'rating_data', 'location_data' and 'locationcode_data' so you can
$number_data = strip_tags($number[0]);
and then when creating the insert data:
$data[] = "('" . $final_location . "', '" . $final_locationcode . "', '" . $final_number . "', '" . $final_rating . "')";

I have managed to figure it out!
I needed to put the whole lot in the for loop, so it looks like this:
for($c=0; $c<count($links); $c++)
{
$racepage = file_get_contents($links[$c]);
preg_match_all('#<td align="right" height="18"><font color="\#ffffff">[0-9]{1,2}</font></td>#', $racepage, $number);
preg_match_all('#<font color="\#00ffff">[0-9]{1,3}</font>#', $racepage, $rating);
preg_match_all('#<B>[\w]+([\s][A-Z]+)?</B>#', $racepage, $location);
preg_match_all('#<B>[\w]+\s[0-9]+</B>#', $racepage, $locationcode);
//strip tags for storage in DB
$number_data = implode(",", $number[0]);
$dbnumber = strip_tags($number_data);
$final_number = explode(",", $dbnumber);
$rating_data = implode(",", $rating[0]);
$dbrating = strip_tags($rating_data);
$final_rating = explode(",", $dbrating);
$location_data = implode(",", $location[0]);
$dblocation = strip_tags($location_data);
$final_location = explode(",", $dblocation);
$locationcode_data = implode(",", $locationcode[0]);
$dblocationcode = strip_tags($locationcode_data);
$final_locationcode = explode(",", $dblocationcode);
//Insert into database
$data = array();
for($i=0; $i<count($final_number); $i++)
{
$data[] = "('" . $final_location[0] . "', '" . $final_locationcode[0] . "', '" . $final_number[$i] . "', '" . $final_rating[$i] . "')";
}
if(count($queries) == 0)
{
# Nothing passed
# exit
}
$query = "insert into ratings(location, location_code, tab_no, rating) values " . implode(", ", $data);
$hostname = "%HOSTNAME"; // eg. mysql.yourdomain.com (unique)
$username = "%username%"; // the username specified when setting-up the database
$password = "%password%"; // the password specified when setting-up the database
$database = "%database%"; // the database name chosen when setting-up the database (unique)
mysql_connect($hostname,$username,$password);
mysql_select_db($database) or die("Unable to select database");
mysql_query($query) OR die(mysql_error());
}
Thank you all for your help, it seems like a great community that is here. I am sure to keep an eye on it for more fixes.

Categories