0

My code:

for($i=0; $i<count($_POST['value']);$i=$i+3)
{
    $sql =  "(NULL, '".$_POST['value'][$i]."', '".$_POST['value'][$i+1]."', '".$_POST['value'][$i+2]."')";  
}
$query = "INSERT INTO 'googlemaps'.'values' ('id','lat','long','desc') VALUES ".$sql;

But I get error for this in SQL

#1064 - Erreur de syntaxe près de ''googlemaps'.'values' ('id','lat','long','desc') VALUES (NULL, '20.593684', '78.' à la ligne 1

Can some one suggest what is wrong here?

or Any other way to simplify this code?

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
user2885237
  • 61
  • 1
  • 6

1 Answers1

3

I'm going to guess you intended to insert into the googlemaps table and not a database called googlemaps with a table called values (if I'm mistaken, let me know and I'll edit my answer). So that's the first thing. The next thing is you want to use backticks not single quotes table and column names.

$query = "INSERT INTO `googlemaps` (`id`,`lat`,`long`,`desc`) VALUES ".$sql;

The backtick is a quote identifier and will prevent you from accidentally using a reserved keyword when a column or table name was intended.

The identifier quote character is the backtick (“`”) Click here to read more

Since you are not using any keywords except for desc and long, you could also write your query like this:

$query = "INSERT INTO googlemaps (id,lat,`long`,`desc`) VALUES ".$sql;

And because nobody wants to get a SQL injection, you can modify your for-loop like this:

$sql =  "(NULL, '".mysqli_escape_string($db, $_POST['value'][$i])."', '".mysqli_escape_string($db, $_POST['value'][$i+1])."', '".mysqli_escape_string($db, $_POST['value'][$i+2])."')";

mysqli_escape_string Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection. Read more by clicking here

It looks you are trying to do an extended insert too

Your final code would look something like this (set $db to whatever your connection variable is):

$sql = []; // define as an array
for($i=0; $i<count($_POST['value']);$i=$i+3) {
    $sql[] =  "(NULL, '".mysqli_escape_string($db, $_POST['value'][$i])."', '".mysqli_escape_string($db, $_POST['value'][$i+1])."', '".mysqli_escape_string($db, $_POST['value'][$i+2])."')";    

}
$query = "INSERT INTO googlemaps (id,lat,`long`,`desc`) VALUES ".implode(',', $sql);

Implode will join the SQL string back together comma separated

implode Join array elements with a string Read more by reading the documentation here

Clay
  • 4,700
  • 3
  • 33
  • 49
  • `mysqli_escape_string()` is an alias of http://php.net/manual/en/mysqli.real-escape-string.php and still needs a connection be passed to it `string mysqli_real_escape_string ( mysqli $link , string $escapestr )` – Funk Forty Niner Jan 01 '16 at 14:09