I'm hoping someone can give me a suggestion on a challenge I am facing. I am not sure that I'm able to do this the way I envision, so looking for advice from those more experienced.
I have a database table with around 20 columns. It's a lot of columns and unfortunately I cannot change that. The goal is to take a form submission and insert it into this table. So what I have is, the field names are identical to the column names in the database.
To try and keep the code cleaner, I would like to just pull the entire form (key and value) in, instead of doing the traditional $varWhatever = $_POST['whatever']; 20 times. Using something like this: foreach ($_POST as $key => $value)
Now my question is, if at all possible, how can I run that foreach loop in a way that will let me put the keys and values into a single SQL statement?
"INSERT INTO table_name (Loop all keys here) VALUES (Loop related values here)"
Is this even possible, or should I just go back to the more traditional way I mentioned above?
One way I am thinking is, before starting the loop, I could create the empty row and grab it's ID, then within the loop, I could run an update query on the row matching the ID. Sounds sloppy though.
Here is a solution I came up with. You first have to define an array of field names that acts as a whitelist of expected inputs. Then you just loop through that array to build a parameters array to bind the submitted values. And implode the array with a comma when building the query.
$fields = array('field1','field2','field3');
$binds = array();
foreach ($fields as $field) {
$binds[":$field"] = $_POST[$field];
}
$sql = "INSERT INTO table_name (" . implode(',',$fields) . ") VALUES (" . implode(',',array_keys($binds)) . ")";
$db->prepare($sql);
$db->execute($binds);
This assumes you are using PDO.
Yes, you can loop for all keys (eg. do an array_keys), but I don't recommend blindly taking any submission parameter and putting it into a SQL query.
Instead, I would keep a list of all valid columns of the form and work with that, remembering that each value needs sanitization, too.
For example:
<?php
$columns = array('column1', 'column2', 'column3', …);
foreach ($columns as $column) {
if (!isset($_POST[$column])) {
die("No data for column $column\n");
}
}
if (!check_csrf($_POST['csrt_token'])) { … }
# (setup database connection)
$SQL = "INSERT INTO table_name (" . implode(", ", $columns) . ") VALUES (";
foreach ($column as $column) {
$SQL .= "'" . $mysqli->real_escape_string($_POST[$column]) . "',";
}
$SQL[strlen($SQL)-1] = ')';
$mysqli->query($SQL);
I have a query which is not inserting if i use the where clause, without the where clause it inserts data. this is weird and I have never seen it happen before in WAMP
$key=substr(md5(rand(0, 1000000)), 0, 5);
$key1="INSERT INTO login(key_id) VALUES('$key')
WHERE (email_id = '" . mysql_real_escape_string($_POST['email_id']) . "')"
if(mysql_query($key1))
{
$message = 'User Added!.';
echo "<SCRIPT>
alert('$message');
location='forgotpassword.php';
</SCRIPT>";
}
If I echo $_POST['email_id'] it does return valid result
INSERT and WHERE do not mix.
when INSERTing, you are creating a new record.
WHERE is used with SELECTing DELETEing or UPDATEing, when you have to specify a filter which rows you want to SELECT, DELETE or UPDATE.
if you want to INSERT a row, do not use WHERE.
if you want to change a row, use
$key1="UPDATE login SET key_id = '$key' WHERE
(email_id = '" . mysql_real_escape_string($_POST['email_id']) . "')";
Insert is only used on creating new record and where clause is only used if want to set any condition it is used with like select,update,delete.
Try this it will help:-
$key1="update login set key_id ='$key' WHERE
(email_id = '" . mysql_real_escape_string($_POST['email_id']) . "')";
I know #Franz-Gleichmann is already explained very well, whats wrong in your code.
You need to use UPDATE for updating data modified code:
$key1 = "UPDATE login SET key_id = '$key' WHERE
(email_id = '" . mysql_real_escape_string($_POST['email_id']) . "')";
Now i am adding two more points:
Please use mysqli_* or PDO, because mysql_* is deprecated and not available in PHP 7.
You missed the termination semi colon on the same line, i hope this is typo error.
Hey I am currently trying to insert a global variable to a table. The other values I pass are variables too but they get sent correctly.
Here is my query. my error handling does not capture anything
$result = mysql_query("INSERT INTO IPmanagement (userId, NameUsed, EmailUsed, IPStatus, Ip) VALUES ('" .$masterUserId . "', '" . $Entry['LeadName'] . "', '" . $Entry['LeadEmail'] . "', '0', '" . $ip . "')") or die(ErrorException("Function 6", "Error when processing the current lead. your data is unaffected and if the proccess continues please contact an Admin.", mysql_error(),$_SERVER['REMOTE_ADDR'], CurrentPath(), $masterUserId));
my variable that is global defined before the function is
$masterUserId = "1";
I tried echoing the variable before it sends and it echos out correctly YET my table holds a value of 0.
here is a screenshot of how I have my table setup.
Click for Larger Image
Any idea what is going on. I am rather stumped and tried writing this same code different ways and it still gives me same issue. Also $masterUserId will always be an int value
Edit: also would like to mention the variable is different .php that contains the varaiable and database login information. It is being included at the top. (don't know if that is relevant)
Because you are not inserting IP STATUS.Which is not null
\
You should either set this to null or enter some value to it.
If you are using query in a function than use like this
function (){
//than define
$globat $masterUserId;
// use the global defination
// than use this variable with global value
}
Do not use mysql_*. Replace them with mysqli_* or PDO::.
Did you try to echo the mysql_query()? Do this. Replace mysql_query("..."); with die("..."); and put it in the phpMyAdmin and try executing.
And in your table, I see that IP Status is a NOT NULL. So that might throw an exception. Use a default value in the table.
And yeah, what do you get the result as in mysql_error()?
Why ''' or "' in query?
I have cleaned up query with PHP function sprintf and using NULL for EntryID(Autoincrement)
$query = sprintf("INSERT INTO IPmanagement (EntryID,userId, NameUsed, EmailUsed, IPStatus, Ip) VALUES (NULL,%s,%s,%s,'0',%s)",
$masterUserId , $Entry['LeadName'] , $Entry['LeadEmail'] , $ip ));
$result = mysql_query($query);
You should also use MySQLi or PDO
i'm having trouble with the code below. it's been simplified to show the problem. i use a loop because the input names are identical and need to create multiple new rows in a mysql table. the problem is i'm using $_POST['name'][$i] and the table won't accept because it doesn't see it as 'text?, ...i think.
like i said, code's been greatly simplified.
for($i=0;$i<count($_POST['url']); $i++) {
$sql = 'INSERT INTO urls (url) VALUES ('. $_POST['url'][$i].')';
if(!mysql_query($sql)) {
echo "error " . mysql_error();
}
}
i tried to rememdy with this -
$sql = 'INSERT INTO urls (url) VALUES ('. '"'. $_POST['url'][$i].'"'. ')';
if i do this it works, there is no error
$sql = 'INSERT INTO urls (url) VALUES (' " hello " ')';
this is probably a newbie type mistake, right? thanks for any help with this.
A cleaner way (and the errors are fixed):
$urls = (isset($_POST['url']) && is_array($_POST['url'])) ? $_POST['url'] : array();
foreach($urls as $url) {
if(!is_string($url)) {
continue;
}
$sql = "INSERT INTO urls (url) VALUES ('" . mysql_real_escape_string($url) . "')";
if(!mysql_query($sql)) {
echo "error " . mysql_error();
}
}
Making sure the $_POST['url'] is an array will keep from trying to treat a non array (or non-existent key) as an array. The is_string is to protect from a user trying to throw in a sub array to get PHP to throw a "using array as string" notice. The escape is to avoid SQL injection, and the single quotes added are so MySQL knows it's a string.
You simply need to add quotes around the POSTed value in your MySQL query like below. Also, if you don't escape the input, it's a massive SQL injection vulnerability:
$data = mysql_escape_string($_POST['url'][$i]);
$sql = 'INSERT INTO urls (url) VALUES ("'.$data.'")';
The query breaks MySQL because MySQL thinks your post value is supposed to be numeric without the quotes.
It would be helpful to see that actual error message returned by mysql_error() but I think your problem is that you're not providing the $_POST value to the sql query as thought it's text.
try replacing
$sql = 'INSERT INTO urls (url) VALUES ('. $_POST['url'][$i].')';
with
$sql = "INSERT INTO urls (url) VALUES ('". mysql_real_escape_string($_POST['url'][$i]) ."')";
You need to escape your $_POST variables before you insert them via an SQL statement, preferably using the mysql_real_escape_string() function to fortify your query against SQL injection attacks.
Answer provided by Corbin is good - however try not to fire insert queries in a loop.
You could create the sql query as one string and then fire the insert query once.
You could change your insert statement from
insert into table (field) values(1);
insert into table (field) values(1);
To:
insert into table (field) values(1), (2), (3), (4)...
This is a more optimal solution - however mysql has a max length to which it can take sql statements - therefore use your best judgement.
try this statement
$sql = "INSERT INTO urls (url) VALUES ('". mysql_real_escape_string($_POST['url'][$i])."')";
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I am getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's','portal','','offering','MSNBC','News','','sports','','MSN','Money','','games'' at line 3
The only problem is that this error shows up when inserting data that contains an apostrophe. I tried changing the data type from VARCHAR to TEXT, but the result is still the same.
I tried to put in addslashes()
How do I fix this?
$query=" INSERT INTO alltags
(id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES
('',mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";
mysql_query($query) or die(mysql_error());
I changed it to mysql_real_escape_string. Is this syntax correct? I am getting errors.
The process of encoding data which contains characters MySQL might interpret is called "escaping". You must escape your strings with mysql_real_escape_string, which is a PHP function, not a MySQL function, meaning you have to run it in PHP before you pass your query to the database. You must escape any data that comes into your program from an external source. Any data that isn't escaped is a potential SQL injection.
You have to escape your data before you build your query. Also, you can build your query programmatically using PHP's looping constructs and range:
// Build tag fields
$tags = 'tag' . implode(', tag', range(1,30));
// Escape each value in the uniqkey array
$values = array_map('mysql_real_escape_string', $uniqkey);
// Implode values with quotes and commas
$values = "'" . implode("', '", $values) . "'";
$query = "INSERT INTO alltags (id, $tags) VALUES ('', $values)";
mysql_query($query) or die(mysql_error());
Using mysql_real_escape_string is a safer approach to handling characters for SQL insertion/updating:
INSERT INTO YOUR_TABLE
VALUES
(mysql_real_escape_string($var1),
mysql_real_escape_string($var2))
Also, I'd change your columns back from TEXT to VARCHAR - searching, besides indexing, works much better.
Update for your update
Being that id is an auto_increment column you can:
leave it out of the list of columns, so you don't have to provide a value in the VALUES clause:
INSERT INTO alltags
(tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES
(mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";
include id in the list of columns, which requires you use either value in its place in the VALUES clause:
NULL
DEFAULT
Here's an example using NULL as the id placeholder:
INSERT INTO alltags
(id,tag1,tag2,tag3,tag4,tag5,tag6,tag7,tag8,tag9,tag10,tag11,tag12,tag13,tag14,tag15,tag16,tag17,tag18,tag19,tag20,tag21,tag22,tag23,tag24,tag25,tag26,tag27,tag28,tag29,tag30)
VALUES
(NULL,mysql_real_escape_string($uniqkey[0]),mysql_real_escape_string($uniqkey[1]),mysql_real_escape_string($uniqkey[2]),mysql_real_escape_string($uniqkey[3]),mysql_real_escape_string($uniqkey[4]),mysql_real_escape_string($uniqkey[5]),mysql_real_escape_string($uniqkey[6]),mysql_real_escape_string($uniqkey[7]),mysql_real_escape_string($uniqkey[8]),mysql_real_escape_string($uniqkey[9]),mysql_real_escape_string($uniqkey[10]),mysql_real_escape_string($uniqkey[11]),mysql_real_escape_string($uniqkey[12]),mysql_real_escape_string($uniqkey[13]),mysql_real_escape_string($uniqkey[14]),mysql_real_escape_string($uniqkey[15]),mysql_real_escape_string($uniqkey[16]),mysql_real_escape_string($uniqkey[17]),mysql_real_escape_string($uniqkey[18]),mysql_real_escape_string($uniqkey[19]),mysql_real_escape_string($uniqkey[20]),mysql_real_escape_string($uniqkey[21]),mysql_real_escape_string($uniqkey[22]),mysql_real_escape_string($uniqkey[23]),mysql_real_escape_string($uniqkey[24]),mysql_real_escape_string($uniqkey[25]),mysql_real_escape_string($uniqkey[26]),mysql_real_escape_string($uniqkey[27]),mysql_real_escape_string($uniqkey[28]),mysql_real_escape_string($uniqkey[29])) ";
I want to really stress that you should not setup your columns like that.
Slight improvement of meagar's answer:
EDIT: meagar updated his post, so his answer is now better.
$query = 'INSERT INTO alltags (id, ';
// append tag1, tag2, etc.
$query .= 'tag' . implode(', tag', range(1, 30)) . ") VALUES ('', ";
// escape each value in the uniqkey array
$escaped_tags = array_map('mysql_real_escape_string', $uniqkey);
// implode values with quotes and commas, and add closing bracket
$query .= "'" . implode("', '", $escaped_tags) . "')";
// actually query
mysql_query($query) or die(mysql_error());
Please look at meagars answer. This is the correct code.
If you want to use the misguided mysql_query() function, then you have to break up the SQL string as follows:
mysql_query(
"INSERT INTO whateever (col1,col2,col3,col4) VALUES ("
. mysql_real_escape_string($col1)
. ","
. mysql_real_escape_string($col2)
. ","
. mysql_real_escape_string($col3)
. ","
. mysql_real_escape_string($col4)
. ")"
);
Or since you have an array, use the clever method call to escape all at once:
$uniqkey = array_map("mysql_real_escape_string", $uniqkey);
mysql_query("USE THE ESCAPED ARRAY THEN DIRECTLY ('$uniqkey[0]', '$uniqkey[1]', '$uniqkey[2]', '$uniqkey[3]', ...");