?
Solved

How can I makes this insert statement work?

Posted on 2014-11-12
6
Medium Priority
?
97 Views
Last Modified: 2014-11-13
Here's the challenge:

You've got users uploading a CSV file in order to leverage the utility of an online tool. The tool, however, depends on consistency between the column headings of the CSV file being uploaded and the column headings in the existing database.

Yes, it would be infinitely easier to insist on some naming conventions, but until that day, here's what I came up with:

The user uploads their CSV file. The column headings are read and listed vertically with another field to the right where there's a pulldown featuring all of the possible fields corresponding to the table they're getting ready to upload their data to.

As so...

screenshot
The next page is designed to craft an insert statement based on the user's selection. I got it to work! Here's what I did:

$insert_statement = 'insert into twitter_test (';
	for($i=0; $i<=$_POST['column_count']; $i++)
	{
		if (isset($_POST['select_name_'.$i.'']) && $_POST['select_name_'.$i.'']=="")
		{
		header("location:csv_upload_error.php");
		exit();
		}
		else
		{
			$insert_statement.=$_POST['select_name_'.$i.''];
			if($i<$_POST['column_count'])
			{
				$insert_statement.=',';
			}
			else
			{
				$insert_statement.=')';
			}
		}
	}
	$insert_statement.=' VALUES (';
	for($i=0; $i<=$_POST['column_count']; $i++)
	{
	$insert_statement .='\'';
	$insert_statement .='$row['.$i.']';
	$insert_statement .='\'';
		if($i<$_POST['column_count'])
		{
			$insert_statement.=',';
		}
		else
		{
			$insert_statement.=')';
		}
	}

Open in new window


When you run this, it yields the following:

insert into twitter_test (actor_id,actor_display_name,posted_time,geo_coords_lat,geo_coords_lon,location_name) VALUES ('$row[0]','$row[1]','$row[2]','$row[3]','$row[4]','$row[5]')

Perfect! Except for one thing: The data going into the table isn't the data in the CSV file, rather it's literally "$row[0]" and so on.

So just when I think I'm crafting some clever syntax, I realize I'm not yet there.

So, how do I get line 26 ($insert_statement .='$row['.$i.']';) to be interpreted as data coming from my CSV file rather than, literally, $row[0]?

Bring it!
0
Comment
Question by:brucegust
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 12

Assisted Solution

by:tel2
tel2 earned 1200 total points
ID: 40438746
Hi Bruce,

I barely know PHP, but:
- 'Single' quotes don't allow for interpolation (i.e. the contents of the quotes will be taken literally instead of interpretted).
- "Double" quotes do.
So try this for line 26:
    $insert_statement .= "$row[$i]";

However, in general, I think the ideal way to handle user-provided data (for security and the ability to handle any characters in the data), is to use placeholders:
    http://php.net/manual/en/pdo.prepared-statements.php
In your case, if all users use your form as intended then you may not need placeholders, but if you want to guard against a hacker from doing SQL injection (for example), by posting data without using your form, then I suggest you use placeholders.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 800 total points
ID: 40439001
First concept to try - always omit the quotes if you do not know with absolute certainty why you need to use them.  Background understanding is in this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_12241-Quotation-Marks-in-PHP.html

If you want to move forward on this with my help, please post the test data set so I can set up the examples that will show you how to write this code.  Nothing here is rocket science, but I'm very busy this week and do not have time to create test data for this problem.  Thanks!
0
 
LVL 9

Expert Comment

by:Brian Tao
ID: 40439071
Change line#26 in you "The next page" php file:
// it was: $insert_statement .='$row['.$i.']';
// change it to the following:
$insert_statement .= $row[$i];

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:tel2
ID: 40439084
Good point, Ray.

Bruce,
taoyipai seems to have just coded what Ray suggested.

For brevity, I guess you could delete lines 25 and 27 and replace line 26 with:
      $insert_statement .= "'" . $row[$i] . "'";
or even this:
      $insert_statement .= "'$row[$i]'";
since I assume you want quotes to appear around the data in the final SQL string, right?  (Note the mix of single and double quotes in both examples above.)
0
 

Author Comment

by:brucegust
ID: 40440181
Did this:

$insert_statement .="$row[$i]";

...then made sure the code was located in a place where $row was being recognized and we were gold!

Thanks, folks!

And Ray, I did read through the documentation. Thanks!
0
 
LVL 12

Expert Comment

by:tel2
ID: 40440985
Thanks for the points, Bruce.

Although my 1st suggestion (which you seem to be using) should work, the quotes serve no purpose, so should be removed.

Did you try without the quotes, Bruce?

Or you can simplify your code by deleting lines 25 & 27 and using one of the options I gave in my last post.
0

Featured Post

7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question