tags:

views:

64

answers:

3
Q: 

Will using the php function "insert into" create new columns if they aren't already defined, or return an error?

I'd like to use a foreach loop to insert a _POST associative array into a database using INSERT INTO.

What I need to know, is if my _POST data contains keys that don't match the columns of my database, will INSERT INTO simply create these columns in the database?

if not, will it return an error and not update my database at all? or will it return an error but still update my database with as many valid entries as possible?

I'd prefer the last situation. This is what I'm looking to do:

A user fills out a form with mulitple fields -> I do something with the responses in _POST, maybe some calculations in javascript, or send an email -> I store some, but not all, of the fields in my database for future reference, looping through the array and storing everything that matches seems to be the simplest way to do this.

Ideally, I'd like to be able to reuse this code in different situations so here I'm looking to gain a more detailed and subtle understanding of how INSERT INTO operates.

A: 

It will error and the insert will fail.

Zerofiz  2010-03-03 01:37:26
+1  A: 

INSERT INTO will insert the values into fields that already exist, if they don't exist, an error occurs. If you insert one record per query , then if one row cannot be inserted, the next row will.

A warning though: You should look into SQL Injections. Taking data sent by the user and not validating or escaping it is very dangerous. A malicious user could easily delete all records in your database, or retrieve sensitive user data if you are not careful.

There are lots of good questions on SQL Injections on Stack Overflow and on the Internet in general.

Marius  2010-03-03 01:40:35
ok, I'm planning to use codeigniter's inbuilt active record functions to actually do the inserting. I've been lead to believe that should escape data properly and clean it up to avoid an injection attack.
David Meister  2010-03-03 01:43:08
+3  A: 

Attempting to insert into columns that do not exist will cause an error, and no row will be inserted.

Why not just define an associative array in your PHP file that lists the columns in your DB, and then check to see if each field is a member of that array before including it in the INSERT?

$allowed_columns = array(
   "name" => 1,
   "phone" => 1,
   "address" => 1
);

foreach($_POST as $key => $val) {
    if(!isset($allowed_columns[$key])) continue;
    //otherwise, add this field after properly
    //validating/escaping the contents of $val
}
Amber  2010-03-03 01:41:19
yep, sounds good. Ideally I'd like to go both ways, and generate the $allowed_columns array automagically out of whatever database I point this function at. When I start a new project, I just want to set up a database, and a form in my HTML and then drop this "black box" between the two.
David Meister  2010-03-03 01:56:16
"I'd like to... generate the $allowed_columns array automagically out of whatever database I point this function at." Just a warning, since I built a library that did that once: all those SHOW COLUMNS statements add up fast. If you're doing more than a table or two, you should plan on caching the schema metadata. And then you have to invalidate that cache when the schema changes. It gets pretty complicated pretty fast.
Frank Farmer  2010-03-03 02:11:54
It'd probably be far simpler to write a separate script that looks at your database, and then modifies a configuration file for your PHP project (and saves it to disk) to work with whatever you've configured in your DB. Since your schema isn't going to be changing from request to request, it makes more sense to only ever bother with examining the schema once.
Amber  2010-03-03 02:31:14

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL