Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
update mysql without manually tying SET statements
8 views
Skip to first unread message
apav...@gmail.com
May 16, 2012, 10:12:37 AM5/16/12
to
I am trying to setup some generic code that will allow me to update a mysql database via form and php. I can capture the data in the row of the database that I want to update. I can present that in a form populated with the existing values. What I can't figure out how to do is to avoid typing out the SET statements in the update query.
ex
$sql = "update myhugedatabase
SET
reporter = '$_POST[reporter]',
date = '$_POST[date]',
district = '$_POST[district]',
village = '$_POST[village]',
school = '$_POST[school]',
address = '$_POST[address]',
teacher = '$_POST[teacher]',
teacher_contact = '$_POST[teacher_contact]',
alt_teach = '$_POST[alt_teach]',
alt_teach_contact = '$_POST[alt_teach_contact]',
gps = '$_POST[gps]',
etc
etc
etc
The reason I want to do this is because I manage many projects all with their own variables and databases and the update is the only part that I have to type in manually.
ex
$sql = "update myhugedatabase
SET
reporter = '$_POST[reporter]',
date = '$_POST[date]',
district = '$_POST[district]',
village = '$_POST[village]',
school = '$_POST[school]',
address = '$_POST[address]',
teacher = '$_POST[teacher]',
teacher_contact = '$_POST[teacher_contact]',
alt_teach = '$_POST[alt_teach]',
alt_teach_contact = '$_POST[alt_teach_contact]',
gps = '$_POST[gps]',
etc
etc
etc
The reason I want to do this is because I manage many projects all with their own variables and databases and the update is the only part that I have to type in manually.
Shake
May 16, 2012, 10:23:12 AM5/16/12
to
El 16/05/2012 16:12, apav...@gmail.com escribi�:
$sqlString = ' UPDATE blablalba SET ';
foreach($_POST as $key => $value)
{
$sqlString .= " `$key` = '$value', ";
}
// You have to deal here a little with the last comma ;)
It's possible not all data in $_POST are fields of the database. You
could manage prefixing the indexes or other ways...
foreach($_POST as $key => $value)
{
if(!preg_match('/^my_prefix.+/',$key)) continue;
$sqlString .= " `$key` = '$value', ";
}
That's some basic ideas, but be carefull, because there are important
things to take in care when using this metodologies. Using POST data to
build SQL strings "automagically" implies taking care of sqlInjection
and thiese kind of things.
Greetings
> I am trying to setup some generic code that will allow me to update a mysql database via form and php. I can capture the data in the row of the database that I want to update. I can present that in a form populated with the existing values. What I can't figure out how to do is to avoid typing out the SET statements in the update query.
> [...]
> The reason I want to do this is because I manage many projects all with their own variables and databases and the update is the only part that I have to type in manually.
Withouth entering in details, security and best practices...
$sqlString = ' UPDATE blablalba SET ';
foreach($_POST as $key => $value)
{
$sqlString .= " `$key` = '$value', ";
}
// You have to deal here a little with the last comma ;)
It's possible not all data in $_POST are fields of the database. You
could manage prefixing the indexes or other ways...
foreach($_POST as $key => $value)
{
if(!preg_match('/^my_prefix.+/',$key)) continue;
$sqlString .= " `$key` = '$value', ";
}
That's some basic ideas, but be carefull, because there are important
things to take in care when using this metodologies. Using POST data to
build SQL strings "automagically" implies taking care of sqlInjection
and thiese kind of things.
Greetings
Thomas 'PointedEars' Lahn
May 16, 2012, 12:06:57 PM5/16/12
to
Shake wrote:
> El 16/05/2012 16:12, apav...@gmail.com escribió:
>> I am trying to setup some generic code that will allow me to update a
>> mysql database via form and php. I can capture the data in the row of
>> the database that I want to update. I can present that in a form
>> populated with the existing values. What I can't figure out how to do is
>> to avoid typing out the SET statements in the update query.
>> [...]
>> The reason I want to do this is because I manage many projects all with
>> their own variables and databases and the update is the only part that I
>> have to type in manually.
>
> Withouth entering in details, security and best practices...
>
> $sqlString = ' UPDATE blablalba SET ';
The leading space does not make sense.
> foreach($_POST as $key => $value)
> {
> $sqlString .= " `$key` = '$value', ";
> }
>
> // You have to deal here a little with the last comma ;)
That is one reason why you should _not_ build queries that way, but at least
join an array instead. See also <news:1762069.Z...@PointedEars.de>.
> It's possible not all data in $_POST are fields of the database. You
> could manage prefixing the indexes or other ways...
>
> foreach($_POST as $key => $value)
> {
> if(!preg_match('/^my_prefix.+/',$key)) continue;
> $sqlString .= " `$key` = '$value', ";
> }
Or you filter out the items that you do not want, by key, using the
array_filter() function, which also returns the array to join that
I mentioned above.
<http://php.net/array_filter>
PointedEars
--
Sometimes, what you learn is wrong. If those wrong ideas are close to the
root of the knowledge tree you build on a particular subject, pruning the
bad branches can sometimes cause the whole tree to collapse.
-- Mike Duffy in cljs, <news:Xns9FB6521286...@94.75.214.39>
> El 16/05/2012 16:12, apav...@gmail.com escribió:
>> I am trying to setup some generic code that will allow me to update a
>> mysql database via form and php. I can capture the data in the row of
>> the database that I want to update. I can present that in a form
>> populated with the existing values. What I can't figure out how to do is
>> to avoid typing out the SET statements in the update query.
>> [...]
>> The reason I want to do this is because I manage many projects all with
>> their own variables and databases and the update is the only part that I
>> have to type in manually.
>
> Withouth entering in details, security and best practices...
>
> $sqlString = ' UPDATE blablalba SET ';
> foreach($_POST as $key => $value)
> {
> $sqlString .= " `$key` = '$value', ";
> }
>
> // You have to deal here a little with the last comma ;)
join an array instead. See also <news:1762069.Z...@PointedEars.de>.
> It's possible not all data in $_POST are fields of the database. You
> could manage prefixing the indexes or other ways...
>
> foreach($_POST as $key => $value)
> {
> if(!preg_match('/^my_prefix.+/',$key)) continue;
> $sqlString .= " `$key` = '$value', ";
> }
array_filter() function, which also returns the array to join that
I mentioned above.
<http://php.net/array_filter>
PointedEars
--
Sometimes, what you learn is wrong. If those wrong ideas are close to the
root of the knowledge tree you build on a particular subject, pruning the
bad branches can sometimes cause the whole tree to collapse.
-- Mike Duffy in cljs, <news:Xns9FB6521286...@94.75.214.39>
M. Strobel
May 16, 2012, 4:48:24 PM5/16/12
to
column you want to save in the database. There is no getting around it. You must do
it at least once for every table.
You would normally do even more: apply some test/validation on every field, and make
sure required fields are not empty, and number fields contain numbers...
You do this nowadays with prepared statements, to be protected against SQL injection
attacks.
If you want generic code, you must define the fields and their properties somewhere
else in your code, this is normally not less work.
/Str.
bill
May 17, 2012, 7:09:44 AM5/17/12
to
just do a REPLACE instead of the UPDATE
bill
IRC
May 17, 2012, 7:14:52 AM5/17/12
to
On May 16, 9:48 pm, "M. Strobel" <sorry_no_mail_h...@nowhere.dee>
wrote:
I agree with Strobel.
You have to create a function once (which can be generic) which will
process your update statement and you just pass an array of $_POST
data into that function and it will process it accordingly.
It may be worthwhile to look into ADODB database library found on php
http://adodb.sourceforge.net/
wrote:
You have to create a function once (which can be generic) which will
process your update statement and you just pass an array of $_POST
data into that function and it will process it accordingly.
It may be worthwhile to look into ADODB database library found on php
http://adodb.sourceforge.net/
apav...@gmail.com
May 17, 2012, 2:06:16 PM5/17/12
to
Shake's suggestion worked exactly how I needed it to work. I had to substring some things off as he said, but all in all, was just what was needed.
Thanks!!!!
On Wednesday, May 16, 2012 10:23:12 AM UTC-4, Shake wrote:
> El 16/05/2012 16:12, apav...@gmail.com escribi�:
Shake
May 17, 2012, 3:06:51 PM5/17/12
to
apav...@gmail.com a écrit :
practices"
This means that I explained "the basic" but there are better
"aproximations" to resolve this problem.
And some of them had been explained in this thread. The fact is that
usually are a better way to do the same.
Greetings
> Shake's suggestion worked exactly how I needed it to work. I had to
> substring some things off as he said, but all in all, was just what was
> needed.
>
> Thanks!!!!
>
But remeber, I said "Withouth entering in details, security and best
> substring some things off as he said, but all in all, was just what was
> needed.
>
> Thanks!!!!
>
practices"
This means that I explained "the basic" but there are better
"aproximations" to resolve this problem.
And some of them had been explained in this thread. The fact is that
usually are a better way to do the same.
Greetings
Erwin Moller
May 18, 2012, 4:49:18 AM5/18/12
to
But prepared statements are just one way to avoid SQL injection.
One could also simply use the right string-escape-function.
Both approaches are OK.
Regards,
Erwin Moller
--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
0 new messages