4

I am trying to check associative array value if it is numeric, here is my code

     $data = array('fullname'=>'Salah Saed', 'age'=>'33', 'gender'=>'Female');



public function insert($data, $table){
    /*$query =  "INSERT INTO  `oop_crud`.`customers` (";
    $query .= "`fullname` , `age` , `gender` )"; 
    $query .= "VALUES ('".$fullname."',  '".$age."',  '".$gender."')";
    */
    $feilds = array(); 
    $feilds_value = array();
    foreach ($data as $field => $field_value){

        $feilds[] = $field;

        echo $field;
        if (is_numeric($field_value)){

            $feilds_value[] = $field_value;

        }else{

            $feilds_value[] = "'".$field_value."'";
        }


    }

    $query = "INSERT INTO ".$table." (";
    $query .= implode(',', $feilds).")";
    $query .= "VALUES (";
    $query .= implode(',',$feilds_value).")";


    echo $query;

It returns string, so what is wrong with my code, in the condition section i used $field_value and this variable has array data, sow how to get array value.

Saedawke
  • 461
  • 5
  • 18
  • what is your expected output array ? – viral Jul 01 '15 at 10:49
  • please check the edited version, output must be, [all strings must have single quot and numerics must not] – Saedawke Jul 01 '15 at 10:52
  • I am guessing you are using the `mysql_` extension. First you should not be using the `mysql_` for new code. Second if you use either the `mysqli_` or PDO extension you dont have to bother with this idea when you us **Prepared Statements** – RiggsFolly Jul 01 '15 at 10:53
  • ok, you meant in MYSQL with prepared statement '33' and 33 are same for int field. – Saedawke Jul 01 '15 at 10:55

2 Answers2

4

First of all, MySQL inserts are type-independent, so

SET UserAge = '33'

is the same as

SET UserAge = 33

so you would be safer to just add quotes. That said, you're safest if you search for prepared statements using PDO (aka parametrized queries). Take a look at that

http://php.net/is_numeric is supposed to recognize values like 0x539 and 0b10100111001 which may not be recognized by MySQL; you would need to check these cases.

Oliver Williams
  • 5,966
  • 7
  • 36
  • 78
2

Here is simplified version of your function, in case you want to improve your query generator function,

function insert($data, $table){

    $column_sql = '`' . implode('`,`', array_keys($data)) . '`';

    $record_sql = "'" . implode("','", $data) . "'";

    return "INSERT INTO `{$table}` ({$column_sql}) VALUES ({$record_sql})";

}

Feeding it $data and test will give

INSERT INTO `test` (`fullname`,`age`,`gender`) VALUES ('Salah Saed','33','Female')

NOTE: Need to escape values mysqli_real_escape_string(), i'll leave that upto you, as an exercise :)

viral
  • 3,724
  • 1
  • 18
  • 32
  • 1
    Thank you very much, i have been trying prepared statement but this is clear and concise. two Thumbs Up – Saedawke Jul 01 '15 at 11:14
  • Prepared statements are easy though, mess up with em, will not take more than a day to be good at it, atleast you should use mysqli_ extensions and escape each input you are feeding to your database directly from user. – viral Jul 01 '15 at 11:18
  • Extend this function, if using mysqli_ consider [this](http://stackoverflow.com/questions/129677) to sanitize your data. Good luck ! – viral Jul 01 '15 at 11:40