webguync Posted August 18, 2008 Share Posted August 18, 2008 Hello, I need to some existing code mysql_real_escape_string such as: '" . mysql_real_escape_string($name) . "' but I am not sure where to insert into the existing code which is: <?php require_once('databaseClass.php'); if ($_POST) { foreach($_POST as $key=>$value) { if (empty($value)) { if ($key == 'fileurl') { $errors[] = 'Please provide the URL to the text file containing the data you want to load'; } else if ($key == 'dbname') { $errors[] = 'Please provide the name of the database into which you want to load the data'; } else if ($key == 'dbuser') { $errors[] = 'Please provide the appropriate Username for the database'; } else if ($key == 'db_pw') { $errors[] = 'Please provide the appropriate PW for the database'; } else if ($key == 'dbtable') { $errors[] = 'Please provide the database table into which you would like to insert data'; } else if ($key == 'fields') { $errors[] = 'Please specify the field names for the table'; } } } if (!isset($errors)) { $file = fopen('../'.$_POST['fileurl'], 'r'); if ($file) { $pattern = '/[\n\r\t]/'; while (!feof($file)) { $line = trim(fgets($file)); $newline = preg_replace($pattern,'\t',$line); $lines[] = explode('\t',$newline); //echo (fgets($file)); } fclose($file); if (count($lines) > 0) { $countSuccess = 0; $fields = explode(',',$_POST['fields']); //$entryCnt = count($tmp); $db = new Database('localhost',$_POST['dbuser'],$_POST['db_pw'],$_POST['dbname'],0); for ($i=0; $i<count($lines); $i++) { $tmp = NULL; $sql = 'INSERT INTO '.$_POST['dbtable'].' ('; for ($k=0; $k<count($lines[$i]); $k++) { if (isset($lines[$i][$k]) && $lines[$i][$k] != NULL) { $tmp[] = $fields[$k]; } } $sql .= implode(',',$tmp); $sql .= ') VALUES ('; for ($j=0; $j<count($lines[$i]); $j++) { if (isset($lines[$i][$j]) && $lines[$i][$j] != NULL) { if (is_numeric($lines[$i][$j])) { $sql .= $lines[$i][$j]; } else { $sql .= "'".$lines[$i][$j]."'"; } if($j != (count($lines[$i])-1)) { $sql .= ','; } } } $sql .= ')'; $result = $db->query($sql); if($result) { $countSuccess++; } //echo $sql; } $db->close(); if($countSuccess > 0) { header('Location: '.$_SERVER['PHP_SELF'].'?numInserted='.$countSuccess); } else { $errors[] = 'No data was inserted into the database. Please check all fields again.'; } //print_r($lines); } else { $errors[] = 'No data in designated file'; } } else { $errors[] = 'Not able to open specified file. Please check that it is the correct URL to text file.'; } } } ?> Quote Link to comment Share on other sites More sharing options...
Jabop Posted August 18, 2008 Share Posted August 18, 2008 Use escaping on ALL inserts on each VALUES field Quote Link to comment Share on other sites More sharing options...
webguync Posted August 18, 2008 Author Share Posted August 18, 2008 could I just do this? '" . mysql_real_escape_string($sql) . "' Quote Link to comment Share on other sites More sharing options...
Mchl Posted August 18, 2008 Share Posted August 18, 2008 Try this: if (is_numeric($lines[$i][$j])) { $sql .= $lines[$i][$j]; } else { $sql .= "'".mysql_real_escape_string($lines[$i][$j])."'"; } if($j != (count($lines[$i])-1)) { $sql .= ','; } } Quote Link to comment Share on other sites More sharing options...
Jabop Posted August 18, 2008 Share Posted August 18, 2008 could I just do this? '" . mysql_real_escape_string($sql) . "' Yes Quote Link to comment Share on other sites More sharing options...
webguync Posted August 18, 2008 Author Share Posted August 18, 2008 apparently this is not where I add this code, because I am getting an error. <?php require_once('databaseClass.php'); if ($_POST) { foreach($_POST as $key=>$value) { if (empty($value)) { if ($key == 'fileurl') { $errors[] = 'Please provide the URL to the text file containing the data you want to load'; } else if ($key == 'dbname') { $errors[] = 'Please provide the name of the database into which you want to load the data'; } else if ($key == 'dbuser') { $errors[] = 'Please provide the appropriate Username for the database'; } else if ($key == 'db_pw') { $errors[] = 'Please provide the appropriate PW for the database'; } else if ($key == 'dbtable') { $errors[] = 'Please provide the database table into which you would like to insert data'; } else if ($key == 'fields') { $errors[] = 'Please specify the field names for the table'; } } } if (!isset($errors)) { $file = fopen('../'.$_POST['fileurl'], 'r'); if ($file) { $pattern = '/[\n\r\t]/'; while (!feof($file)) { $line = trim(fgets($file)); $newline = preg_replace($pattern,'\t',$line); $lines[] = explode('\t',$newline); //echo (fgets($file)); } fclose($file); if (count($lines) > 0) { $countSuccess = 0; $fields = explode(',',$_POST['fields']); //$entryCnt = count($tmp); $db = new Database('localhost',$_POST['dbuser'],$_POST['db_pw'],$_POST['dbname'],0); for ($i=0; $i<count($lines); $i++) { $tmp = NULL; $sql = 'INSERT INTO '.$_POST['dbtable'].' ('; for ($k=0; $k<count($lines[$i]); $k++) { if (isset($lines[$i][$k]) && $lines[$i][$k] != NULL) { $tmp[] = $fields[$k]; } } $sql .= implode(',',$tmp); $sql .= ') VALUES ('" . mysql_real_escape_string($sql) . "''; for ($j=0; $j<count($lines[$i]); $j++) { if (isset($lines[$i][$j]) && $lines[$i][$j] != NULL) { if (is_numeric($lines[$i][$j])) { $sql .= $lines[$i][$j]; } else { $sql .= "'".$lines[$i][$j]."'"; } if($j != (count($lines[$i])-1)) { $sql .= ','; } } } $sql .= ')'; $result = $db->query($sql); if($result) { $countSuccess++; } //escape $sql; } $db->close(); if($countSuccess > 0) { header('Location: '.$_SERVER['PHP_SELF'].'?numInserted='.$countSuccess); } else { $errors[] = 'No data was inserted into the database. Please check all fields again.'; } //print_r($lines); } else { $errors[] = 'No data in designated file'; } } else { $errors[] = 'Not able to open specified file. Please check that it is the correct URL to text file.'; } } } ?> Quote Link to comment Share on other sites More sharing options...
Mchl Posted August 18, 2008 Share Posted August 18, 2008 Try mine. (it's part of your code with mysql_real_escape_string added) Quote Link to comment Share on other sites More sharing options...
webguync Posted August 18, 2008 Author Share Posted August 18, 2008 thanks Mchl, I didn't see your previous post. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.