Re: [PHP-DB] pg_insert tyro question
Micah, As a tyro, I'm curious AND cautious: belt AND suspenders is best. When you say: assign the values needed into another array before submitting to the database I presume you mean something like this, yes? /*Create arrays for each of the tables*/ $coretable = array_slice($_POST, 0, 33); $creatable = array_slice($_POST, 33, 5); $subjectable = array_slice($_POST, 38, 2); $stypertable = array_slice($_POST, 40, 2); $cultable = array_slice($_POST, 42, 2); $matertable = array_slice($_POST, 44, 6); But while my own sanity is _certainly_ in question (I rue the day I agreed to do this project, however educational it has been), You seem to be using sanity check in a technical sense. What exactly would that be, when it's at home, and what would it look like? Thanks all for the good advice! Jon On Aug 22, 2005, at 4:22 PM, mike burnard wrote: I certainly agree with that Micah. array_pop only removes that last item. If you are in a an open environment you definitely want to include security checks and form validation. -mike On Aug 22, 2005, at 4:07 PM, Micah Stevens wrote: This is tenuous and insecure, you have no control over the $_POST array, only the submitting page does, I'd do a sanity check, and assign the values needed into another array before submitting to the database. This is also primed for a SQL injection attack. Bad idea.. IMHO.. -Micah -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] pg_insert tyro question
To further append the previous note, if you want to insert the array, you need to serialize it (www.php.net/serialize) to make the array db safe if you want to insert the individual specific values, you will need to implode the array with separators (and check the data in the correct order for the field list) or you will need to supply a field list that matches the array list to ensure the data elements are placed into the correct columns Bastien From: Jon Crump [EMAIL PROTECTED] To: php-db@lists.php.net Subject: [PHP-DB] pg_insert tyro question Date: Mon, 22 Aug 2005 14:34:03 -0700 (PDT) Being a tyro, I'm sure I'm missing something obvious about handling the array $_POST. I hope wiser heads can point me in the right direction. This fails: ?php $db = pg_connect( dbname=foo user=bar ); if( $db ) { print Successfully connected to port: . pg_port($db) .br/\n; } else { print pg_last_error ($db); exit; } $res = pg_insert($db, 'vracore', $_POST); if ($res) { echo You're a Genius; } else { print_r ($_POST); exit; } pg_Close( $db ); ? The connection string works fine. If I insert each field in $_POST separately, that works fine too eg. $value1=$_POST['value1']; $value1=$_POST['value2']; etc... $query = insert into foo (columnname1, columnname2, etc...) values ($value1, $value2, etc...);; $result = pg_exec($db, $query); But if I try pg_insert($db, 'foo', $_POST); it fails. I note that print_r ($_POST) returns a list of values that includes [addentry] = Add Entry from the submit button. Is that what's screwing it up? Any clues would be much appreciated. Jon -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] pg_insert tyro question
Or if you need to store all the values, you could normalize the table field into another table. -Micah On Monday 22 August 2005 3:19 pm, Bastien Koert wrote: To further append the previous note, if you want to insert the array, you need to serialize it (www.php.net/serialize) to make the array db safe if you want to insert the individual specific values, you will need to implode the array with separators (and check the data in the correct order for the field list) or you will need to supply a field list that matches the array list to ensure the data elements are placed into the correct columns Bastien From: Jon Crump [EMAIL PROTECTED] To: php-db@lists.php.net Subject: [PHP-DB] pg_insert tyro question Date: Mon, 22 Aug 2005 14:34:03 -0700 (PDT) Being a tyro, I'm sure I'm missing something obvious about handling the array $_POST. I hope wiser heads can point me in the right direction. This fails: ?php $db = pg_connect( dbname=foo user=bar ); if( $db ) { print Successfully connected to port: . pg_port($db) .br/\n; } else { print pg_last_error ($db); exit; } $res = pg_insert($db, 'vracore', $_POST); if ($res) { echo You're a Genius; } else { print_r ($_POST); exit; } pg_Close( $db ); ? The connection string works fine. If I insert each field in $_POST separately, that works fine too eg. $value1=$_POST['value1']; $value1=$_POST['value2']; etc... $query = insert into foo (columnname1, columnname2, etc...) values ($value1, $value2, etc...);; $result = pg_exec($db, $query); But if I try pg_insert($db, 'foo', $_POST); it fails. I note that print_r ($_POST) returns a list of values that includes [addentry] = Add Entry from the submit button. Is that what's screwing it up? Any clues would be much appreciated. Jon -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] pg_insert tyro question
Thanks mike! that did the trick. This works: array_pop($_POST); /* this gets rid of the last element of $_POST which is 'addentry' from the form's submit button. $_POST now containes ONLY the values expected by pg_insert. By the way, the order of the values in $_POST does not seem to matter, only that there are exactly as many as there are columns in the table and their names match the columns exactly.*/ $res = pg_insert($db, 'foo', $_POST); if ($res) { echo You're a Genius; } else { print pg_last_error ($db); exit; } On Mon, 22 Aug 2005, mike burnard wrote: It very likely is the error. you can use array_pop($_POST); to remove that last line. You can always have your insert function return an error on failure. snip / By the way Bastian and John, thanks for responding to my pg_connect question some days ago. Installing Marc Liyanage's distribution did the trick! Thanks too to Bastian and Micah. Or if you need to store all the values, you could normalize the table field into another table. -Micah On Monday 22 August 2005 3:19 pm, Bastien Koert wrote: To further append the previous note, if you want to insert the array, you need to serialize it (www.php.net/serialize) to make the array db safe if you want to insert the individual specific values, you will need to implode the array with separators (and check the data in the correct order for the field list) or you will need to supply a field list that matches the array list to ensure the data elements are placed into the correct columns Bastien I'm not sure what any of this means, but it didn't turn out to be necessary. Jon -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] pg_insert tyro question
This is tenuous and insecure, you have no control over the $_POST array, only the submitting page does, I'd do a sanity check, and assign the values needed into another array before submitting to the database. This is also primed for a SQL injection attack. Bad idea.. IMHO.. -Micah On Monday 22 August 2005 3:52 pm, Jon Crump wrote: Thanks mike! that did the trick. This works: array_pop($_POST); /* this gets rid of the last element of $_POST which is 'addentry' from the form's submit button. $_POST now containes ONLY the values expected by pg_insert. By the way, the order of the values in $_POST does not seem to matter, only that there are exactly as many as there are columns in the table and their names match the columns exactly.*/ $res = pg_insert($db, 'foo', $_POST); if ($res) { echo You're a Genius; } else { print pg_last_error ($db); exit; } On Mon, 22 Aug 2005, mike burnard wrote: It very likely is the error. you can use array_pop($_POST); to remove that last line. You can always have your insert function return an error on failure. snip / By the way Bastian and John, thanks for responding to my pg_connect question some days ago. Installing Marc Liyanage's distribution did the trick! Thanks too to Bastian and Micah. Or if you need to store all the values, you could normalize the table field into another table. -Micah On Monday 22 August 2005 3:19 pm, Bastien Koert wrote: To further append the previous note, if you want to insert the array, you need to serialize it (www.php.net/serialize) to make the array db safe if you want to insert the individual specific values, you will need to implode the array with separators (and check the data in the correct order for the field list) or you will need to supply a field list that matches the array list to ensure the data elements are placed into the correct columns Bastien I'm not sure what any of this means, but it didn't turn out to be necessary. Jon -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] pg_insert tyro question
I certainly agree with that Micah. array_pop only removes that last item. If you are in a an open environment you definitely want to include security checks and form validation. -mike On Aug 22, 2005, at 4:07 PM, Micah Stevens wrote: This is tenuous and insecure, you have no control over the $_POST array, only the submitting page does, I'd do a sanity check, and assign the values needed into another array before submitting to the database. This is also primed for a SQL injection attack. Bad idea.. IMHO.. -Micah On Monday 22 August 2005 3:52 pm, Jon Crump wrote: Thanks mike! that did the trick. This works: array_pop($_POST); /* this gets rid of the last element of $_POST which is 'addentry' from the form's submit button. $_POST now containes ONLY the values expected by pg_insert. By the way, the order of the values in $_POST does not seem to matter, only that there are exactly as many as there are columns in the table and their names match the columns exactly.*/ $res = pg_insert($db, 'foo', $_POST); if ($res) { echo You're a Genius; } else { print pg_last_error ($db); exit; } On Mon, 22 Aug 2005, mike burnard wrote: It very likely is the error. you can use array_pop($_POST); to remove that last line. You can always have your insert function return an error on failure. snip / By the way Bastian and John, thanks for responding to my pg_connect question some days ago. Installing Marc Liyanage's distribution did the trick! Thanks too to Bastian and Micah. Or if you need to store all the values, you could normalize the table field into another table. -Micah On Monday 22 August 2005 3:19 pm, Bastien Koert wrote: To further append the previous note, if you want to insert the array, you need to serialize it (www.php.net/serialize) to make the array db safe if you want to insert the individual specific values, you will need to implode the array with separators (and check the data in the correct order for the field list) or you will need to supply a field list that matches the array list to ensure the data elements are placed into the correct columns Bastien I'm not sure what any of this means, but it didn't turn out to be necessary. Jon -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php