NYCPHP Meetup

NYPHP.org

[nycphp-talk] can't populate db table with csv - Ican't believethis!

Phil Powell soazine at erols.com
Wed Sep 10 22:35:36 EDT 2003


Um, guys I &*AM* using double quotes AND single quotes AND
mysql_escape_string().. see for yourself:

$rowNumber = 1; $sql = ''; $startSQL = '';
  $varcharArray = array('varenr', 'navn', 'farge_code');

  while ($row = fgetcsv($fileID, 100000, ',')) {
   if ($rowNumber == 1) {
    $startSQL .= 'INSERT INTO nnet_produkt(';
    for ($i = 0; $i < sizeof($row); $i++)
     $startSQL .= 'nnet_produkt_' . $row[$i] . ', ';
    $startSQL = trim($startSQL, ', ') . ') VALUES (';
   }
   if ($rowNumber > 1) {
    for ($i = 0; $i < sizeof($row); $i++) {
     print_r("row number $rowNumber: " . $row[$i] . "\n<P>");
     if (!in_array($row[$i], $varcharArray) && strlen($row[$i]) > 0) {
      $sql .= $row[$i] . ', ';
     } elseif (strlen($row[$i]) > 0) {
      $sql .= "'" . mysql_escape_string(htmlspecialchars($row[$i])) . "', ";
     } elseif (!in_array($row[$i], $varcharArray)) {
      $sql .= 0 . ', ';
     } else {
      $sql .= "'', ";
     }
    }
    $sql = $startSQL . trim($sql) . ')';
   }
   if ($rowNumber > 1) {
    print_r($sql . "\n<P>");
    if (!mysql_query($sql)) die('Could not perform insert: ' . $sql . ' ' .
mysql_error());
    $sql = '';
   }
   $rowNumber++;
  }

Phil
----- Original Message ----- 
From: "Brian Pang" <bpang at bpang.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Wednesday, September 10, 2003 10:32 PM
Subject: Re: [nycphp-talk] can't populate db table with csv - Ican't
believethis!


> yes, everything
>
> if the string being enclosed in single quotes contains an apostrophe, or
> other instance of a single quote, it will need to be escaped like \'
>
> I think that Hans is recommending using mysql_escape_string() to ensure
> that everything is escaped that might need it (like double quotes).
>
>
> HOWEVER
>
> if your php script is attempting to insert any variables, you will need
> to use double quotes in place of the single quote as the encapsulator.
>
> PHP doesn't parse within the single quote.
>
> You would still want to use mysql_escape_string()
>
>
> I always use double quotes even though it means that values are being
> parsed for no reason. It's just easier for me that way and I haven't
> (been fortunate enough to have) had a problem with it creating excessive
> load, yet.
>
>
>
>
>
> > Um, I don't understand.  Every single thing should be encased in '' and
is
> > escaped with mysql_escape_string().  I know the basics of SQL too.  I
just
> > can't do this bit of code!
> >
> > Phil
> > ----- Original Message ----- 
> > From: "Hans Zaunere" <hans at nyphp.org>
> > To: "NYPHP Talk" <talk at lists.nyphp.org>
> > Sent: Wednesday, September 10, 2003 8:22 PM
> > Subject: Re: [nycphp-talk] can't populate db table with csv - I can't
> > believethis!
> >
> >
> > >
> > > Phil,
> > >
> > > > Go to http://www.nordicnet.no/admin/alle_produkter.php and you can
see
> > > > the damage!
> > >
> > > You need to learn some basics of working with SQL.  In MySQL, Oracle,
> > PostgreSQL, and just about everything else, values should always be
> enclosed
> > in single quotes [1].
> > >
> > > With the SQL you show above, none of the values are enclosed in single
> > quotes, and since one of the values contains a single quote itself, it
> gives
> > an error.  You'll also need to use mysql_escape_string() for every
> value you
> > create a SQL statement from; this escapes special chars that SQL will
> > interpret as having meaning.  See http://php.net/mysql_escape_string
> > >
> > > > Otherwise, I'm going to have to send the code to you guys, along
with
> > > > the .csv file and maybe you can do what I cannot.   I might as
> well quit
> > > > this project!
> > >
> > > I think you might have to move to a pay-per-incident support plan  :)
> > >
> > > But this is a simple problem to resolve; you should have no problem
with
> > it.
> > >
> > > H
> > >
> > > [1] For the purposes of this discussion
> > >
> > >
> > > _______________________________________________
> > > talk mailing list
> > > talk at lists.nyphp.org
> > > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > _______________________________________________
> > talk mailing list
> > talk at lists.nyphp.org
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> >
>
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk




More information about the talk mailing list