ansaurus

Question

How to create sql insert query dynamically in mysql

Answer 1

A:

Something like

$sql = sprintf( "INSERT INTO `tblpin` (`pinId`, `ownerId`, `usedby`, `status`) VALUES ('%s', '%s', '%s', '%s')",
    generatePIN($pin),
    mysql_real_escape_string($ownerId),
    mysql_real_escape_string($usedBy),
    mysql_real_escape_string( $status) );

or (edited for Conspicuous Compiler)

$pins = generatePINS($user); // ? however they're generated
foreach( $pins as $pin) {
    $sql = sprintf( "INSERT INTO `tblpin` (`pinId`, `ownerId`, `usedby`, `status`) VALUES ('%s', '%s', '%s', '%s')",
        $pin,
        mysql_real_escape_string($ownerId),
        mysql_real_escape_string($usedBy),
        mysql_real_escape_string( $status) );
        $result = mysql_query($sql);
}

where generatePIN is your function to make your pin based on whatever the heck you're basing it off of. or generatePINS returns an array of them

Dan Heberden 2010-06-02 05:51:43

So, two things: (1) He's trying to do multiple rows of inserts at once with a single SQL statement. Your solution doesn't do that, I don't think. (2) Any answer should note that the asker's given code is ripe for SQL injection attacks. (Your proposed solution has this same flaw.)

Conspicuous Compiler 2010-06-02 05:58:26

The OP makes no notes of multiple rows - the question is vague. Pins could be a typo, one column, who knows what. the OP makes no mention if he/she is sanitizing his data or not; if the OP does any search re: sql on this site, he/she is sure to find plenty of examples (hell, even some of my answers with tips for him/her)

Dan Heberden 2010-06-02 06:15:46

Answer 2

+1 A:

Try this:

$sql = "INSERT INTO tblpin ('pinId', 'ownerId', 'usedby', 'status') VALUES ";
for($i=0; $i<sizeof($pin); $i++) {
    if ($i>0)
        $sql .= ", ";
    $sql .= "('$pin[$i]', '$ownerid', 'Free', '1')";
}

Of course you need to escape the values of $pin in case they contain any characters which could mess with the SQL query.

cherouvim 2010-06-02 05:53:49

strings in php are concatenated with "." and ";" in the end of query for mysql_query() is a wrong char due to it accepts one and only one query. and the latest: `foreach` is more handy in this case.

zerkms 2010-06-02 05:56:02

thanks zerkms. It's been 5 years...

cherouvim 2010-06-02 05:57:35

It is not working `echo $sql;` is displaying `0`.

nectar 2010-06-02 06:06:44

@nectar: I had a couple of typos which I corrected.

cherouvim 2010-06-02 06:18:05

@cherouvim :ya I got that , final `$sql` is coming fine but whet I call `mysql_query($sql);` , it is not inserting data into db.why?

nectar 2010-06-02 06:28:06

@nectar: is there an error? if you do echo $sql, does the statement look good?

cherouvim 2010-06-02 06:42:45

Answer 3

+1 A:

$s = $pdo->prepare("INSERT INTO xy (a,b,c,d) VALUES (?,?,?,?)");
foreach ($pins as $i) {
   $s->execute($i,$ownerID,"free",1);
}

mario 2010-06-02 05:55:19

i bet OP used bulk insert for some performance reasons, but this would work too.

zerkms 2010-06-02 05:59:01

ansaurus

tags:

views:

answers:

How to create sql insert query dynamically in mysql

related questions