Re: [PHP-DB] pg_insert tyro question
Micah, As a tyro, I'm curious AND cautious: belt AND suspenders is best. When you say: assign the values needed into another array before submitting to the database I presume you mean something like this, yes? /*Create arrays for each of the tables*/ $coretable = array_slice($_POST, 0, 33); $creatable = array_slice($_POST, 33, 5); $subjectable = array_slice($_POST, 38, 2); $stypertable = array_slice($_POST, 40, 2); $cultable = array_slice($_POST, 42, 2); $matertable = array_slice($_POST, 44, 6); But while my own sanity is _certainly_ in question (I rue the day I agreed to do this project, however educational it has been), You seem to be using sanity check in a technical sense. What exactly would that be, when it's at home, and what would it look like? Thanks all for the good advice! Jon On Aug 22, 2005, at 4:22 PM, mike burnard wrote: I certainly agree with that Micah. array_pop only removes that last item. If you are in a an open environment you definitely want to include security checks and form validation. -mike On Aug 22, 2005, at 4:07 PM, Micah Stevens wrote: This is tenuous and insecure, you have no control over the $_POST array, only the submitting page does, I'd do a sanity check, and assign the values needed into another array before submitting to the database. This is also primed for a SQL injection attack. Bad idea.. IMHO.. -Micah -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] pg_insert tyro question
To further append the previous note,
if you want to insert the array, you need to serialize it
(www.php.net/serialize) to make the array db safe
if you want to insert the individual specific values, you will need to
implode the array with separators (and check the data in the correct order
for the field list) or you will need to supply a field list that matches the
array list to ensure the data elements are placed into the correct columns
Bastien
From: Jon Crump [EMAIL PROTECTED]
To: php-db@lists.php.net
Subject: [PHP-DB] pg_insert tyro question
Date: Mon, 22 Aug 2005 14:34:03 -0700 (PDT)
Being a tyro, I'm sure I'm missing something obvious about handling the
array $_POST. I hope wiser heads can point me in the right direction.
This fails:
?php
$db = pg_connect( dbname=foo user=bar );
if( $db )
{
print Successfully connected to port: . pg_port($db) .br/\n;
} else {
print pg_last_error ($db);
exit;
}
$res = pg_insert($db, 'vracore', $_POST);
if ($res) {
echo You're a Genius;
} else {
print_r ($_POST);
exit;
}
pg_Close( $db );
?
The connection string works fine. If I insert each field in $_POST
separately, that works fine too eg.
$value1=$_POST['value1'];
$value1=$_POST['value2'];
etc...
$query = insert into foo (columnname1, columnname2, etc...) values
($value1, $value2, etc...);;
$result = pg_exec($db, $query);
But if I try pg_insert($db, 'foo', $_POST);
it fails. I note that print_r ($_POST) returns a list of values that
includes [addentry] = Add Entry from the submit button. Is that what's
screwing it up?
Any clues would be much appreciated.
Jon
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] pg_insert tyro question
Or if you need to store all the values, you could normalize the table field
into another table.
-Micah
On Monday 22 August 2005 3:19 pm, Bastien Koert wrote:
To further append the previous note,
if you want to insert the array, you need to serialize it
(www.php.net/serialize) to make the array db safe
if you want to insert the individual specific values, you will need to
implode the array with separators (and check the data in the correct order
for the field list) or you will need to supply a field list that matches
the array list to ensure the data elements are placed into the correct
columns
Bastien
From: Jon Crump [EMAIL PROTECTED]
To: php-db@lists.php.net
Subject: [PHP-DB] pg_insert tyro question
Date: Mon, 22 Aug 2005 14:34:03 -0700 (PDT)
Being a tyro, I'm sure I'm missing something obvious about handling the
array $_POST. I hope wiser heads can point me in the right direction.
This fails:
?php
$db = pg_connect( dbname=foo user=bar );
if( $db )
{
print Successfully connected to port: . pg_port($db) .br/\n;
} else {
print pg_last_error ($db);
exit;
}
$res = pg_insert($db, 'vracore', $_POST);
if ($res) {
echo You're a Genius;
} else {
print_r ($_POST);
exit;
}
pg_Close( $db );
?
The connection string works fine. If I insert each field in $_POST
separately, that works fine too eg.
$value1=$_POST['value1'];
$value1=$_POST['value2'];
etc...
$query = insert into foo (columnname1, columnname2, etc...) values
($value1, $value2, etc...);;
$result = pg_exec($db, $query);
But if I try pg_insert($db, 'foo', $_POST);
it fails. I note that print_r ($_POST) returns a list of values that
includes [addentry] = Add Entry from the submit button. Is that what's
screwing it up?
Any clues would be much appreciated.
Jon
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] pg_insert tyro question
Thanks mike! that did the trick. This works:
array_pop($_POST);
/* this gets rid of the last element of $_POST which is 'addentry' from
the form's submit button. $_POST now containes ONLY the values expected by
pg_insert. By the way, the order of the values in $_POST does not seem to
matter, only that there are exactly as many as there are columns in the
table and their names match the columns exactly.*/
$res = pg_insert($db, 'foo', $_POST);
if ($res) {
echo You're a Genius;
} else {
print pg_last_error ($db);
exit;
}
On Mon, 22 Aug 2005, mike burnard wrote:
It very likely is the error. you can use array_pop($_POST); to remove that
last line. You can always have your insert function return an error on
failure. snip /
By the way Bastian and John, thanks for responding to my pg_connect
question some days ago. Installing Marc Liyanage's distribution did the
trick!
Thanks too to Bastian and Micah.
Or if you need to store all the values, you could normalize the table
field
into another table.
-Micah
On Monday 22 August 2005 3:19 pm, Bastien Koert wrote:
To further append the previous note,
if you want to insert the array, you need to serialize it
(www.php.net/serialize) to make the array db safe
if you want to insert the individual specific values, you will need to
implode the array with separators (and check the data in the correct
order
for the field list) or you will need to supply a field list that matches
the array list to ensure the data elements are placed into the correct
columns
Bastien
I'm not sure what any of this means, but it didn't turn out to be
necessary.
Jon
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] pg_insert tyro question
This is tenuous and insecure, you have no control over the $_POST array, only
the submitting page does, I'd do a sanity check, and assign the values needed
into another array before submitting to the database.
This is also primed for a SQL injection attack.
Bad idea.. IMHO..
-Micah
On Monday 22 August 2005 3:52 pm, Jon Crump wrote:
Thanks mike! that did the trick. This works:
array_pop($_POST);
/* this gets rid of the last element of $_POST which is 'addentry' from
the form's submit button. $_POST now containes ONLY the values expected by
pg_insert. By the way, the order of the values in $_POST does not seem to
matter, only that there are exactly as many as there are columns in the
table and their names match the columns exactly.*/
$res = pg_insert($db, 'foo', $_POST);
if ($res) {
echo You're a Genius;
} else {
print pg_last_error ($db);
exit;
}
On Mon, 22 Aug 2005, mike burnard wrote:
It very likely is the error. you can use array_pop($_POST); to remove
that last line. You can always have your insert function return an error
on failure. snip /
By the way Bastian and John, thanks for responding to my pg_connect
question some days ago. Installing Marc Liyanage's distribution did the
trick!
Thanks too to Bastian and Micah.
Or if you need to store all the values, you could normalize the table
field
into another table.
-Micah
On Monday 22 August 2005 3:19 pm, Bastien Koert wrote:
To further append the previous note,
if you want to insert the array, you need to serialize it
(www.php.net/serialize) to make the array db safe
if you want to insert the individual specific values, you will need to
implode the array with separators (and check the data in the correct
order
for the field list) or you will need to supply a field list that matches
the array list to ensure the data elements are placed into the correct
columns
Bastien
I'm not sure what any of this means, but it didn't turn out to be
necessary.
Jon
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] pg_insert tyro question
I certainly agree with that Micah. array_pop only removes that last
item. If you are in a an open environment you definitely want to
include security checks and form validation.
-mike
On Aug 22, 2005, at 4:07 PM, Micah Stevens wrote:
This is tenuous and insecure, you have no control over the $_POST
array, only
the submitting page does, I'd do a sanity check, and assign the values
needed
into another array before submitting to the database.
This is also primed for a SQL injection attack.
Bad idea.. IMHO..
-Micah
On Monday 22 August 2005 3:52 pm, Jon Crump wrote:
Thanks mike! that did the trick. This works:
array_pop($_POST);
/* this gets rid of the last element of $_POST which is 'addentry'
from
the form's submit button. $_POST now containes ONLY the values
expected by
pg_insert. By the way, the order of the values in $_POST does not
seem to
matter, only that there are exactly as many as there are columns in
the
table and their names match the columns exactly.*/
$res = pg_insert($db, 'foo', $_POST);
if ($res) {
echo You're a Genius;
} else {
print pg_last_error ($db);
exit;
}
On Mon, 22 Aug 2005, mike burnard wrote:
It very likely is the error. you can use array_pop($_POST); to
remove
that last line. You can always have your insert function return an
error
on failure. snip /
By the way Bastian and John, thanks for responding to my pg_connect
question some days ago. Installing Marc Liyanage's distribution did
the
trick!
Thanks too to Bastian and Micah.
Or if you need to store all the values, you could normalize the table
field
into another table.
-Micah
On Monday 22 August 2005 3:19 pm, Bastien Koert wrote:
To further append the previous note,
if you want to insert the array, you need to serialize it
(www.php.net/serialize) to make the array db safe
if you want to insert the individual specific values, you will need
to
implode the array with separators (and check the data in the correct
order
for the field list) or you will need to supply a field list that
matches
the array list to ensure the data elements are placed into the
correct
columns
Bastien
I'm not sure what any of this means, but it didn't turn out to be
necessary.
Jon
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
