Jump to content

[SOLVED] Multiple Inserts in one query and mysql_real_escape_string

Prodigal Son

By Prodigal Son
in PHP Coding Help

 Share

Recommended Posts

Prodigal Son Member

Prodigal Son

Posted
Posted

Is it possible to mysql_real_escape_string a big long string that I would use to insert?

I.e., lets say I have this:

foreach ($strs as $str) {
  $name = $str['name'];
  $email = $str['email'];
  $insert_q = "('$name', '$email', NOW())";
  $insert .= $insert_q . ',';
}
$insert = substr($insert, 0, -1); //take off last comma
$query = "INSERT INTO table (name, email, time) VALUES " . mysql_real_escape_string($insert);
mysql_query($query);

I have a feeling that's very wrong. How else should I be doing it?

Link to comment
Share on other sites
abouchoud Newbie

abouchoud

Posted
Posted

hello,

 

here is an example... you can find it on php.net by searching for the mysql_real_escape_string function!!

 

....

....

$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');

 

    if(!is_resource($link)) {

 

        echo "Échec de la connexion au serveur\n";

        // ... historisation de l'erreur

 

    } else {

 

        // Annule les effets magic_quotes_gpc/magic_quotes_sybase sur ces variables si ON.

 

        if(get_magic_quotes_gpc()) {

            $product_name        = stripslashes($_POST['product_name']);

            $product_description = stripslashes($_POST['product_description']);

        } else {

            $product_name        = $_POST['product_name'];

            $product_description = $_POST['product_description'];

        }

 

        // Faire une requête sécurisée

        $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",

                    mysql_real_escape_string($product_name, $link),

                    mysql_real_escape_string($product_description, $link),

                    $_POST['user_id']);        mysql_query($query, $link);

....

....

Link to comment
Share on other sites
Prodigal Son Member

Prodigal Son

Posted
  • Author
Posted

hello,

 

here is an example... you can find it on php.net by searching for the mysql_real_escape_string function!!

 

....

....

$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');

 

    if(!is_resource($link)) {

 

        echo "Échec de la connexion au serveur\n";

        // ... historisation de l'erreur

 

    } else {

 

        // Annule les effets magic_quotes_gpc/magic_quotes_sybase sur ces variables si ON.

 

        if(get_magic_quotes_gpc()) {

            $product_name        = stripslashes($_POST['product_name']);

            $product_description = stripslashes($_POST['product_description']);

        } else {

            $product_name        = $_POST['product_name'];

            $product_description = $_POST['product_description'];

        }

 

        // Faire une requête sécurisée

        $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",

                    mysql_real_escape_string($product_name, $link),

                    mysql_real_escape_string($product_description, $link),

                    $_POST['user_id']);        mysql_query($query, $link);

....

....

Yea, but that's just one insert isn't it? I'm doing multiple inserts. Do I just do:

foreach ($strs as $str) {
  $name = mysql_real_escape_string($str['name']);
  $email = mysql_real_escape_string($str['email']);
  $insert_q = "('$name', '$email', NOW())";
  $insert .= $insert_q . ',';
}
$insert = substr($insert, 0, -1); //take off last comma
$query = "INSERT INTO table (name, email, time) VALUES " . mysql_real_escape_string($insert);
mysql_query($query);

Is it ok to use the mysql_real_escape_string at that point, or does it need to be when you write the query?

Link to comment
Share on other sites
Prodigal Son Member

Prodigal Son

Posted
  • Author
Posted

No, you want to escape each value. Escaping the finished string will break the query.

Yea, I figured it would be something like that. Would this work (and is safe)?

foreach ($strs as $str) {
  $name = mysql_real_escape_string($str['name']);
  $email = mysql_real_escape_string($str['email']);
  $insert_q = "('$name', '$email', NOW())";
  $insert .= $insert_q . ',';
}
$insert = substr($insert, 0, -1); //take off last comma
$query = "INSERT INTO table (name, email, time) VALUES " . mysql_real_escape_string($insert);
mysql_query($query);

Link to comment
Share on other sites
abouchoud Newbie

abouchoud

Posted
Posted

ok

 

No it is completly wrong. This function is not used correctly. What I understand from that function is that, it protects the special caracters that your $insert string variable contains. But, it has not the ability to deconcatenate the string. Plus, the way you inserted the date in to your $insert string variable  is wrong too!

 

let say you have 3 values to enter as the example you provided us:

 

example :

the $insert string variable now contains :

chadchad@hotmail.com08-07-0804:47:58pm,chrischris@hotmail.com08-07-0804:47:58pmnatashanatasha@hotmail.com08-07-0804:47:58pm

 

I don't see how you can separate you values of each record in you $insert string variable.

 

You need, first of, to find a way to save the values like this:

chad&&chad@hotmail.com&&08-07-0804:47:58pm,chris&&chris@hotmail.com&&08-07-0804:47:58pm,natasha&&natasha@hotmail.com&&08-07-0804:47:58pm

 

then after that you have to try to insert your values by deconcatinating you $insert string so it match your table column (name, email, time)

 

 

 

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

You got the right idea.. but it's a little messy. Try this one

 

$values = array();
foreach( $strs as $str ) {
$name = mysql_real_escape_string($str['name']);
$email = mysql_real_escape_string($str['email']);
$values[] = "('$name', '$email', NOW())";
}

$query = "INSERT INTO table (name, email, time) VALUES " . implode( ',', $values );
mysql_query($query);

 

implode() will save you from that last comma. Personally, I'd do it like this ( to save a bit of memory )

 

foreach( $strs as $key => $str )
$strs[$key] = 
	"('". mysql_real_escape_string($str['name']) ."', ".
	"'". mysql_real_escape_string($str['email']) ."', ".
	"NOW())";

$query = "INSERT INTO table (name, email, time) VALUES " . implode( ',', $strs );
mysql_query($query);

 

This is assuming you won't use $strs later in the script though... but as you can see, no new variables are created, thus saving a little bit of room

Link to comment
Share on other sites
discomatt Member

discomatt

Posted
Posted

ok

 

No it is completly wrong. This function is not used correctly. What I understand from that function is that, it protects the special caracters that your $insert string variable contains. But, it has not the ability to deconcatenate the string. Plus, the way you inserted the date in to your $insert string variable  is wrong too!

 

let say you have 3 values to enter as the example you provided us:

 

example :

the $insert string variable now contains :

chadchad@hotmail.com08-07-0804:47:58pm,chrischris@hotmail.com08-07-0804:47:58pmnatashanatasha@hotmail.com08-07-0804:47:58pm

 

I don't see how you can separate you values of each record in you $insert string variable.

 

You need, first of, to find a way to save the values like this:

chad&&chad@hotmail.com&&08-07-0804:47:58pm,chris&&chris@hotmail.com&&08-07-0804:47:58pm,natasha&&natasha@hotmail.com&&08-07-0804:47:58pm

 

then after that you have to try to insert your values by deconcatinating you $insert string so it match your table column (name, email, time)

 

Huh?

Link to comment
Share on other sites
Prodigal Son Member

Prodigal Son

Posted
  • Author
Posted

You got the right idea.. but it's a little messy. Try this one

 

$values = array();
foreach( $strs as $str ) {
$name = mysql_real_escape_string($str['name']);
$email = mysql_real_escape_string($str['email']);
$values[] = "('$name', '$email', NOW())";
}

$query = "INSERT INTO table (name, email, time) VALUES " . implode( ',', $values );
mysql_query($query);

 

implode() will save you from that last comma. Personally, I'd do it like this ( to save a bit of memory )

 

foreach( $strs as $key => $str )
$strs[$key] = 
	"('". mysql_real_escape_string($str['name']) ."', ".
	"'". mysql_real_escape_string($str['email']) ."', ".
	"NOW())";

$query = "INSERT INTO table (name, email, time) VALUES " . implode( ',', $strs );
mysql_query($query);

 

This is assuming you won't use $strs later in the script though... but as you can see, no new variables are created, thus saving a little bit of room

Thanks, very handy.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.