PHP: Hypertext Preprocessor (original) (raw)

pg_insert

(PHP 4 >= 4.3.0, PHP 5, PHP 7, PHP 8)

pg_insert — Insert array into table

Description

If flags is specified,pg_convert() is applied tovalues with the specified flags.

By default pg_insert() passes raw values. Values must be escaped or the [PGSQL_DML_ESCAPE](pgsql.constants.php#constant.pgsql-dml-escape) flag must be specified in flags.[PGSQL_DML_ESCAPE](pgsql.constants.php#constant.pgsql-dml-escape) quotes and escapes parameters/identifiers. Therefore, table/column names become case sensitive.

Note that neither escape nor prepared query can protect LIKE query, JSON, Array, Regex, etc. These parameters should be handled according to their contexts. i.e. Escape/validate values.

Errors/Exceptions

A ValueError is thrown when the specified table is invalid.

A ValueError or TypeError is thrown when the value or type of field does not match properly with a PostgreSQL's type.

Changelog

Version	Description
8.3.0	Now throws a ValueError error when the specified table is invalid; previously an E_WARNING was emitted.
8.3.0	Now throws a ValueError or TypeError error when the value or type of field does not match properly with a PostgreSQL's type; previously an E_WARNING was emitted.
8.1.0	Returns an PgSql\Result instance now; previously, a resource was returned.
8.1.0	The connection parameter expects an PgSql\Connection instance now; previously, a resource was expected.

Examples

Example #1 pg_insert() example

<?php $dbconn = pg_connect('dbname=foo'); // This is safe somewhat, since all values are escaped. // However PostgreSQL supports JSON/Array. These are not // safe by neither escape nor prepared query. <math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>r</mi><mi>e</mi><mi>s</mi><mo>=</mo><mi>p</mi><msub><mi>g</mi><mi>i</mi></msub><mi>n</mi><mi>s</mi><mi>e</mi><mi>r</mi><mi>t</mi><mo stretchy="false">(</mo></mrow><annotation encoding="application/x-tex">res = pg_insert(</annotation></semantics></math>res=pginsert(dbconn, 'post_log', $_POST, PGSQL_DML_ESCAPE); if ($res) { echo "POST data is successfully logged\n"; } else { echo "User must have sent wrong inputs\n"; } ?>

Found A Problem?

shane at treesandthings dot com ¶

21 years ago

`Returns SQL statement, slight improvement on the code from 'rorezende at hotmail dot com'. This version adds bool values correctly.It also checks to make sure there is actually a value in the array before including it in the sql statement. (ie: null values or empty strings won't be added to the sql statement)

strn.="strn .= "strn.="name,"; strv.=(strv .= (strv.=(value ? "true":"false") . ","; continue; }; if( is_string($value)) { strn.="strn .= "strn.="name,"; strv.="′strv .= "'strv.="′value',"; continue; } if (!is_null($value) and ($value != "")) { strn.="strn .= "strn.="name,"; strv.="strv .= "strv.="value,"; continue; } } strn[strlen(strn[strlen(strn[strlen(strn)-1] = ')'; strv[strlen(strv[strlen(strv[strlen(strv)-1] = ')'; str.=str .= str.=strn . $strv; return $str; } ?>

skippy at zuavra dot net ¶

20 years ago

`Beware of the following: pg_insert() and pg_update() are adding slashes to all character-like fields they work with. This makes them SQL injection super-safe, but there are unwanted consequences, as follows:

If you have a regular setup with magic_quotes_gcp=On, and you use pg_insert() or pg_update(), you will end up with fields that look as if you used addslashes() twice. To solve this, you can use stripslashes() on the data just before using it with pg_insert() or pg_update().

There's another alternative, which seems better to me. Why make yourself crazy all over the code, adding slashes, stripping slashes, worrying whether magic_quotes_gpc is on or off and so on and so forth? Why do this, when the only place you actually need those slashes is right when you push the data into the database?

So why not get rid of your addslashes() and stripslashes() from all over your code, and turn magic_quotes_gcp off. As long as you always use pg_insert() and pg_update() to do your DB work, you're SQL-injection safe AND slash-headache free.

jsnell at e-normous dot com ¶

17 years ago

`If you need schema support, this function will do something similar to pg_insert:

function pg_insert_with_schema($connection, table,table, table,updates)
{
$schema = 'public';
if (strpos($table, '.') !== false)
list($schema, table)=explode(′.′,table) = explode('.', table)=explode(′.′,table);

if (count($updates) == 0) {
sql="INSERTINTOsql = "INSERT INTO sql="INSERTINTOschema."$table" DEFAULT VALUES";
return pg_query($sql);
} else {
sql="INSERTINTOsql = "INSERT INTO sql="INSERTINTOschema."$table" ";

$sql .= '("';
sql.=join(′","′,arraykeys(sql .= join('", "', array_keys(sql.=join(′","′,arraykeys(updates));
$sql .= '")';

$sql .= ' values (';
for($i = 0; i<count(i < count(i<count(updates); $i++)
sql.=(sql .= (sql.=(i != 0? ', ':'').'$'.($i+1);
$sql .= ')';
return pg_query_params($connection, sql,arrayvalues(sql, array_values(sql,arrayvalues(updates));
}
}

phpuser at ego dot gen dot nz ¶

13 years ago

This function cannot be used to insert a record with only default values - i.e. with an assoc_array of array()

Anonymous ¶

3 years ago

`$Result = pg_query_params($db,'INSERT INTO table1 (a, b, c) VALUES ($1,$2,$3) RETURNING *', array('1','2','3'); Row=pgfetchassoc(Row = pg_fetch_assoc(Row=pgfetchassoc(Result);
pg_insert($db, 'table2', $Row);

pg_insert fail silently if one or more fields on table2 have different names than on table1

mina86 at tlen dot pl ¶

20 years ago

`Next version :) My version checks whether value is bool, null, string or numeric and if one of the values is not function returns false if not. null values are inserted as NULL, bool as true or false and strings are add-shlashed before adding to query string. Note, that this function is not safe. SQL injection is possible with column names if you use POSTorsomethingsimilarasa_POST or something similar as a POSTorsomethingsimilarasaarray.

columns=arraykeys(columns = array_keys(columns=arraykeys(array); values=arrayvalues(values = array_values(values=arrayvalues(array); unset($array); for ( i=0,i = 0, i=0,c = count($values); iiic; ++$i) { if (is_bool($values[$i])) { values[values[values[i] = values[values[values[i]?'true':'false'; } elseif (is_null($values[$i])) { values[values[values[i] = 'NULL'; } elseif (is_string($values[$i])) { values[values[values[i] = "'" . addslashes($values[$i]) . "'"; } elseif (!is_numeric($values[$i])) { return false; } } return "INSERT INTO table(table (table(column_quote" . implode(', ', $columns) . ") VALUES (" . implode(', ', $values) . ")"; } ?>

excalibur at nospam dot icehouse dot net ¶

18 years ago

`Today at work I isolated a problem I was having with this function to how I was formatting the date. I was assigning the date in my code as follows:

$today = date( "Ymd" ); // ISO 8601

This format is acceptable to PostgreSQL, as verified by their documentation and buy tests using psql. However, to make it work in my code, I had to make the following change:

$today = date( "Y-m-d" ); // also ISO 8601 format

rorezende at hotmail dot com ¶

21 years ago

`Time is money, then I write a function similar to pg_insert in PHP (only output sql statement) :

function db_mount_insert($table,$array) {

str="insertintostr = "insert into str="insertintotable (";
while(list($name,$value) = each($array)) {
str.="str .= "str.="name,";
}
str[strlen(str[strlen(str[strlen(str)-1] = ')';
$str .= " values (";
reset($array);
while(list($name,$value) = each($array)) {
if(is_string($value))
str.="′str .= "'str.="′value',";
else
str.="str .= "str.="value,";
}
str[strlen(str[strlen(str[strlen(str)-1] = ')';
$str .= ";" ;

return $str;

}

ANDYCHR17 at HOTMAIL dot COM ¶