0

For example: 

array('u_ad'=>'example name','u_mail'=>'example@mail.com','u_sifre'=>'exapmlepass')

Required query:

$sql = "INSERT INTO uyeler 
          (u_ad,u_mail,u_sifre) 
        VALUES 
          ('example name','example@mail.com','examplepass')";

How I do that?

OMG Ponies
  • 325,700
  • 82
  • 523
  • 502
Yusuf
  • 63
  • 1
  • 6

3 Answers3

2
$sql = "INSERT INTO uyeler (". implode(",", array_keys($array)) .") VALUES ('". implode("','", $array) ."')";
Gal
  • 23,122
  • 32
  • 97
  • 118
  • 2
    Which promptly blows up if any of the values have quotes in them... You'd need at MINIMUM array_map the values through mysql_real_escape_string(). – Marc B Jul 05 '11 at 18:31
  • @Marc Did I say he shouldn't mysql_real_escape_string() it before? – Gal Jul 05 '11 at 18:32
  • 1
    No, you didn't. Hence the comment, as a warning. – Marc B Jul 05 '11 at 18:33
  • really mysql_real_escape_string () is a problem whether i use it? – Yusuf Jul 05 '11 at 18:38
  • Yusef, it's less of an issue if you are hardcoding the strings within your PHP code. But if the values could come from another source, then the risk goes way up. If you are getting values from a configuration file, from the user, from a database record, or some other source, using mysql_real_escape_string will protect you from SQL injection attacks. It will also ensure that the system will work as expected for users who enter special values. Consider the effect if `$u_ad` is `Scott O'Brian`, for instance. The `INSERT` will have invalid syntax using sombe's method without escaping the text. – GargantuChet Jul 06 '11 at 04:04
1

Quick/dirty/unsafe: 

$sql = "INSERT INTO uyeler (u_ad,u_mail,u_sifre) VALUES ('" . $theArray['u_ad'] . "','" . $theArray['u_mail'] . "','" . $theArray['u_sifre'] . "')";

Better:

$ad = mysql_real_escape_string($theArray['u_ad']);
$mail = mysql_real_escape_string($theArray['u_mail']);
$sifre = mysql_real_escape_string($theArray['u_sifre']);

$sql = "INSERT INTO uyeler (u_ad,u_mail,u_sifre) VALUES ('" . $ad . "','" . $mail . "','" . $sifre . "')";
Fosco
  • 38,138
  • 7
  • 87
  • 101
  • @Yusuf for one, you haven't provided an example where the table name comes from... two, your version of 'directly' will not respect required columns and likely just cause errors... – Fosco Jul 05 '11 at 18:34
1

Don't mess around with escaping! You should be using prepared statements where possible, and using PDO is a good way to do it.

See:

Why you Should be using PHP’s PDO for Database Access
ext/mysqli: Part I - Overview and Prepared Statements

Mike
  • 21,301
  • 2
  • 42
  • 65
  • You mean: don't mess around with escaping when someone else can mess around with it for you? PDO is still escaping ;) {And brings overhead - oh the overhead} – Rudu Jul 05 '11 at 18:48
  • @Rudu If you are asking if I would prefer parameters to be handled for me, then yes, I would. Also, AFAIK, there is [no real escaping involved](http://stackoverflow.com/questions/1314521/how-safe-are-pdo-prepared-statements#1314549) in prepared statements, and they are a good way to [help prevent SQL injection](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php#60496). – Mike Jul 05 '11 at 20:19
  • ...I am also happy to accept some additional overhead with PDO if it provides a degree of database agnosticism. If that overhead becomes too much for a given application, it can be optimised as necessary. PDO is just one way to do it. – Mike Jul 05 '11 at 20:20
  • i dont understand PDO.. What is the PDO? What does PDO? – Yusuf Jul 05 '11 at 21:53
  • @Yusuf PDO, or PHP Data Objects "*provides a data-access abstraction layer, which means that, regardless of which database you're using, you use the same functions to issue queries and fetch data*". It provides a consistent object oriented interface between your application and RDMS. This may be of help: [Using PDO Objects in PHP 5](http://www.devshed.com/c/a/PHP/Using-PDO-Objects-in-PHP-5/) – Mike Jul 06 '11 at 07:01
  • @Yusuf PDO *does not* rewrite or generate SQL, so using PDO does not guarantee that you can easily switch from one RDBMS to another - you would need to use a different library for that, or ensure that all of your SQL statements are compatible with each RDBMS that you plan to use. It does, however, mean that you don't need to use vendor specific PHP extensions such as mysqli or PostgreSQL, thus making your code more portable. If, as Rudu pointed out, the PDO overhead is too great for your application, or you have no need for data abstraction, you can still use a vendor specific extension. – Mike Jul 06 '11 at 07:12
  • @Yusuf There's a reasonably good explanation of the advantages and disadvantages of PDO and the mysql & mysql extensions here: http://php.net/manual/en/mysqli.overview.php It's worth understanding the differences before you start on a project. Note that prepared statements are possible with mysqli and PDO, but not the older mysql extension. – Mike Jul 06 '11 at 07:18