How can I makes this insert statement work?

Here's the challenge:

You've got users uploading a CSV file in order to leverage the utility of an online tool. The tool, however, depends on consistency between the column headings of the CSV file being uploaded and the column headings in the existing database.

Yes, it would be infinitely easier to insist on some naming conventions, but until that day, here's what I came up with:

The user uploads their CSV file. The column headings are read and listed vertically with another field to the right where there's a pulldown featuring all of the possible fields corresponding to the table they're getting ready to upload their data to.

As so...

screenshot
The next page is designed to craft an insert statement based on the user's selection. I got it to work! Here's what I did:

$insert_statement = 'insert into twitter_test (';
	for($i=0; $i<=$_POST['column_count']; $i++)
	{
		if (isset($_POST['select_name_'.$i.'']) && $_POST['select_name_'.$i.'']=="")
		{
		header("location:csv_upload_error.php");
		exit();
		}
		else
		{
			$insert_statement.=$_POST['select_name_'.$i.''];
			if($i<$_POST['column_count'])
			{
				$insert_statement.=',';
			}
			else
			{
				$insert_statement.=')';
			}
		}
	}
	$insert_statement.=' VALUES (';
	for($i=0; $i<=$_POST['column_count']; $i++)
	{
	$insert_statement .='\'';
	$insert_statement .='$row['.$i.']';
	$insert_statement .='\'';
		if($i<$_POST['column_count'])
		{
			$insert_statement.=',';
		}
		else
		{
			$insert_statement.=')';
		}
	}

Open in new window


When you run this, it yields the following:

insert into twitter_test (actor_id,actor_display_name,posted_time,geo_coords_lat,geo_coords_lon,location_name) VALUES ('$row[0]','$row[1]','$row[2]','$row[3]','$row[4]','$row[5]')

Perfect! Except for one thing: The data going into the table isn't the data in the CSV file, rather it's literally "$row[0]" and so on.

So just when I think I'm crafting some clever syntax, I realize I'm not yet there.

So, how do I get line 26 ($insert_statement .='$row['.$i.']';) to be interpreted as data coming from my CSV file rather than, literally, $row[0]?

Bring it!
brucegustPHP DeveloperAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tel2Commented:
Hi Bruce,

I barely know PHP, but:
- 'Single' quotes don't allow for interpolation (i.e. the contents of the quotes will be taken literally instead of interpretted).
- "Double" quotes do.
So try this for line 26:
    $insert_statement .= "$row[$i]";

However, in general, I think the ideal way to handle user-provided data (for security and the ability to handle any characters in the data), is to use placeholders:
    http://php.net/manual/en/pdo.prepared-statements.php
In your case, if all users use your form as intended then you may not need placeholders, but if you want to guard against a hacker from doing SQL injection (for example), by posting data without using your form, then I suggest you use placeholders.
0
Ray PaseurCommented:
First concept to try - always omit the quotes if you do not know with absolute certainty why you need to use them.  Background understanding is in this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_12241-Quotation-Marks-in-PHP.html

If you want to move forward on this with my help, please post the test data set so I can set up the examples that will show you how to write this code.  Nothing here is rocket science, but I'm very busy this week and do not have time to create test data for this problem.  Thanks!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian TaoSenior Business Solutions ConsultantCommented:
Change line#26 in you "The next page" php file:
// it was: $insert_statement .='$row['.$i.']';
// change it to the following:
$insert_statement .= $row[$i];

Open in new window

0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

tel2Commented:
Good point, Ray.

Bruce,
taoyipai seems to have just coded what Ray suggested.

For brevity, I guess you could delete lines 25 and 27 and replace line 26 with:
      $insert_statement .= "'" . $row[$i] . "'";
or even this:
      $insert_statement .= "'$row[$i]'";
since I assume you want quotes to appear around the data in the final SQL string, right?  (Note the mix of single and double quotes in both examples above.)
0
brucegustPHP DeveloperAuthor Commented:
Did this:

$insert_statement .="$row[$i]";

...then made sure the code was located in a place where $row was being recognized and we were gold!

Thanks, folks!

And Ray, I did read through the documentation. Thanks!
0
tel2Commented:
Thanks for the points, Bruce.

Although my 1st suggestion (which you seem to be using) should work, the quotes serve no purpose, so should be removed.

Did you try without the quotes, Bruce?

Or you can simplify your code by deleting lines 25 & 27 and using one of the options I gave in my last post.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.