0

I am making a really small script, that allows you to make an insert query, based on an array.

So the only thing that you need to do is define the $table and add an array to the function.

public function makeRecord($table, $array){

    $array_keys = array_keys($array);
    $array_values = array_values($array);
    $keys = implode(',', $array_keys);
    $values = implode(',', $array_values);
    $this->DB->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $sql = "INSERT INTO $table ($keys)
    VALUES ($values)";
    return $this->DB->exec($sql);

}

The next code will generate an SQL query like this. INSERT INTO Users (UserName,Password) VALUES (daan,welkom01).

But it needs to be

INSERT INTO Users ('UserName', 'Password') VALUES ('daan','welkom01') What is the best way to fix this :)?

Daansk44
  • 497
  • 2
  • 4
  • 21
  • `implode()` doesn't care about array keys, so `array_values()` is unnecessary. Prepared statements are in order here. Have you researched this site before posting your question? – mickmackusa Apr 14 '19 at 12:32
  • You shouldn't be putting single quotes around the column names. If quotes of any kind are required, they should be backticks (`\``) – Nick Apr 14 '19 at 12:34
  • Also you'd want to implement some sort of protection against SQL injection attacks - such as using parameterized queries instead of building queries like this by yourself. – Jirka Hrazdil Apr 14 '19 at 12:35

0 Answers0