My method $csv->getContent(); contains my column names and the 'data' is my individual rows to import to the database. The loop below works flawlessly when importing my various CSVs to the database. However, when I have a column in the CSV that has html content, many rows import fine but there are some that do not and I get the SQLSTATE[HY093]: "Invalid parameter number: number of bound variables does not match number of tokens" error.
From my research, I am seeing that doing things the way I have shown below is supposed to properly escape characters to avoid the need for addslashes but it does not seem to make a difference. The only time this does work is if I addslashes(addslashes($values)); but thats kind of ridiculous and it leaves my content in the database with \\\ before the applicable characters.
Am I missing a step here or am I just stuck. The way I see it, I should be able to "bulletproof" my content to get it into my db each and every time.
$this->db->exec("SET CHARACTER SET utf8");
$this->db->beginTransaction();
$content = $csv->getContent();
foreach($content['data'] as $key => $value) {
$sql = "INSERT INTO `".$destination_table."` (`";
$sql .= implode("`, `", $content['columns']);
$sql .= "`) VALUES (";
$sql .= implode(", ", array_fill(0, count($content['columns']), "?"));
$sql .= ")";
$statement = $this->db->prepare($sql);
$statement->execute($value);
}
$this->db->commit();
I do not prefer your code. What if there are thousands of data and you loop each data then insert to database. There is a mysql query to import csv file to database table.
source: how-to-import-csv-file-to-mysql-table
Ok, I have found an answer to my question. I built a small app for personal use where I can keep the content for auctions I list online. Some of the content is old and contains mal-formed html so when parsing the csv and importing into the database, mal-formed html can really screw things up. However, after more research and reading, the "bindParam" and then "execute" methods of PDO allowed to seemlessly import the content no matter how poorly formed the html is. Here is how I structured my test query and then just kept experimenting with messed up html to the database.
$sql = $objDb->prepare('UPDATE `autolist_html` SET `value` = :html WHERE entity = "'.$entity[1].'"');
$sql->bindValue(':html',$_POST[$entity[1].'_html'],PDO::PARAM_STR);
$sql->execute();
Related
I am trying to integrate a PHP plugin with my web app, but I am stuck with storing the values that I receive from an XML file to a table in my database.
This is what I have so far, but when I run the PHP script it does not save to the database. I have created a table in my database with one column (type=text, name=test)
global $mysqli;
$str = serialize($Items);
printF($str);
$result = $mysqli->query("INSERT INTO nepremicnine (test) VALUES ('$str');");
$Items probably contains some strings with single quotes, and this is causing a syntax error when you substitute it into the INSERT query. Use a prepared statement to avoid problems with special characters.
$stmt = $mysqli->prepare("INSERT INTO nepremicnine (test) VALUES (?);");
$stmt->bind_param("s", $str);
$result = $stmt->execute();
I have a web application which accepts an Excel spreadsheet, parses the data, and adds that data to a MySQL database. Some of the sheets are fine, everything works as expected. However some sheets are not returning true when they should. Before data is entered I have a general purpose function which will check that table for the value and then return true or false. This function looks like this:
//Check if a sql will return with any values
function tableCheck($table, $column, $value){
//PDO Connecttion
$core = Core::getInstance();
$sql = "SELECT * FROM $table WHERE $column = :value;";
//Create a prepared statement
$stmt = $core->dbh->prepare($sql);
$stmt->bindParam(':value', $value, PDO::PARAM_STR);
$stmt->execute();
//return true if there is a hit on that value
if($stmt->rowCount() > 0){
return true;
} else {
return false;
}
}
Like I said this works some of the time and some of the time it doesn't and I get tons of repeated values from that sheet. Obviously this seriously messes with my data.
At first I thought it had to do with special characters but I have since found sheets where this field does not have special characters have a similar problem. This problem only occurs on a single column as well. Other fields of the sheet parse perfectly fine in all cases.
Any idea on what could be causing this problem?
EDIT: I also want to note that if i copy/paste the data into MySQL workbench or the command line it does return the rows.
This looks dangerous, but I'm sure you're doing some sort of filtering, right? :)
Sounds to me like some of your table or column names could be reserved words, for example AS and BY.
Put ticks around them in your query:
$sql = "SELECT * FROM `$table` WHERE `$column` = :value;";
The problem was that the data being entered was larger than the field would accept. The column was a VARCHAR and the incoming data was greater than 255 characters. I switched to a TEXT data type and the problem was solved.
It sounds strange to me. I have a simple PHP script that inserts data into MYSQL table.
Upon receiving the content from the client via AJAX the data is stored in a variable:
$content=$_POST['content'];
$sql="insert into contents values('$content')";
mysql_query($sql);
The problem is that if the content contains a '&' symbol,the sub-string before & is stored in MYSQL and the rest of the string is discarded. If I try directly in MYSQL then it stores complete string containg & symbol.why?
The problem is that mysql regocnizes '&' as AND. Check this out:
$content = mysql_real_escape_string($_POST['content']);
$sql = "insert into contents (column) values('$content')";
mysql_query($sql);
First off if this site is live take it down lol. This is classic sql injection vulnerability.
You need to be using mysqli now instead of mysql.
The way you use this is the same but it has this REALLY cool feature called 'real escape string'
What it does is parameterize the data before you pass it into the database
$content = $_POST['content'];
$connection = new mysqli('ipaddress','username','password','database');
$content = $connection->real_escape_string($content);
$sql="insert into contents values('$content')";
$connection->query($sql);
This is a much safer way of passing in data
I want to load data from several CSV documents in a database.
The problem is that there is a table for a file, thus the table name has to be stored in a variable progressively updated by the loop. The tables are created, but after that the script fails; Nothing happens, my tables and their fields always have 0 lines.
I think that my idea is feasible, because some topics describe some tips in this way, but nothing works in my case.
This is my code that fails:
$query = "INSERT INTO". $name_of_the_file." (id, content) values (". $arrayGenre[0].",'".trim($arrayGenre[1])."')";
where $name_of_the_file refers to the table created in the loop, referring ultimately to the file targeted by the loop.
Following your recommendations, I added a space and print the query by:
echo ("<br>". $query);
Here is an example for the first line. No offense for the xxx substitutions: these are nominative data.
INSERT INTO names.csv (id, url, content) values (1,'xxx_some_adressxxx,'agency: xxx')
I do not know enough PHP to say that it is the expected result, but that seems a good SQL request and the values are fine.
Here are the next lines of my script:
$mysqli->query($query);
and at the beginning of my script, the definition of $mysqli:
$mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
New edit :
Well it was in fact SQL code which was badly written...
Try adding a space:
$query = "INSERT INTO ". $name_of_the_file ...
It's always worth outputting your SQL via echo to make sure it looks like what you expect it to look like.
Edit:
INSERT INTO names.csv (id, url, content) values (1,'xxx_some_adressxxx,'agency: xxx')
You need to add an apostrophe at the end of the second field:
INSERT INTO names.csv (id, url, content) values (1,'xxx_some_adressxxx','agency: xxx')
I'd also recommend that you look into things like PDO, to make your code more robust and more secure.
You can also try pasting your SQL directly into the database, to see if it gives you an error.
I'm using cURL to pull selected data out of web pages, until recently I've been recording the output to plain text files but now that I have a better appreciation of MySQL/SQLite I've decided to make the full switch to relational databases, just makes managing data so much easier.
But I've run into a couple of issues I haven't been able to solve on my own:
1) EDIT: problem solved by simply using sqlite_escape_string individually.
However the other problem remains:
2) The content that gets inserted into the database appears to have it's encoding messed up e.g. ™ becomes â„¢, ' becomes ’ and so forth. This happens ONLY when it is being processed by SQLite, if I otherwise echo the exact same data out or save it to text file the encoding (UTF-8) is preserved and everything renders properly.
I've tried using utf8_encode(); prior to insertion but that just messes things up even more. I should note that manual editing after insertion works so the issue is clearly not with the DB itself but with the way the data is being inserted into it
Here's the current code:
$name = sqlite_escape_string($name);
$category = sqlite_escape_string($category);
$html = sqlite_escape_string($html);
$db = new SQLiteDatabase('DB.sqlite');
$query = 'INSERT INTO Table (Name, Category, Html)' . "VALUES ('$name', '$category', '$html')";
$db->queryExec($query);
Apparently others are having similar issues with this:
Link
Link
$insert = compact('name','category','html');
$insert = array_map('sqlite_escape_string',$insert);
$insert = '"'. implode('", ',$insert).'"';
Or one-liner:
$insert = '"'. implode('", ', array_map('sqlite_escape_string', compact('name','category','html'))).'"';