Test (fwd)

To reword.

I am an open source programmer just learning the ropes. I am about
halfway through the php documentation at zend.com, and can't seem to post
to the php.lists.net. So I am asking someone here...
I need to take the entries from several web forms, and put their contents
into a postresql database. The php function pg_exec is the only way I've
seen to actually use INSERT.
Here is my idea: -using arrays

$query = "insert into <table_name> ($names_of_form_fields)
values ($values_of_form_fields);

so there you have it.
I have been to php.net
I read documentation religiously
i'm simply asking for help
anyone?

---------- Forwarded message ----------
Date: Wed, 13 Jun 2001 15:11:08 -0400 (EDT)
From: Chadwick Rolfs <c2304182(at)webdevel(dot)urban(dot)csuohio(dot)edu>
To: pgsql-php(at)postgresql(dot)org
Subject: Test

I can't seem to post to this list that I keep recieving e-mail from. I
want to parse a web form through php and put it into a postgresql
batabase. Who can help? or point me toward the right direction...
thanks.

Your insert idea won't work. SQL knows nothing (in regards to PHP) of
arrays. You actually have to break out the variables.

$query = "insert into <table_name> (field1, field2, field3) values ($text1,
$text2, text3);"

Plus, you have to make sure to check for apostrophes. That will break your
SQL statement if someone typed them into the text field.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Chadwick Rolfs" <c2304182(at)webdevel(dot)urban(dot)csuohio(dot)edu>
To: <pgsql-php(at)postgresql(dot)org>
Sent: Wednesday, June 13, 2001 7:44 PM
Subject: [PHP] Test (fwd)

> To reword.
>
> I am an open source programmer just learning the ropes. I am about
> halfway through the php documentation at zend.com, and can't seem to post
> to the php.lists.net. So I am asking someone here...
> I need to take the entries from several web forms, and put their contents
> into a postresql database. The php function pg_exec is the only way I've
> seen to actually use INSERT.
> Here is my idea: -using arrays
>
> $query = "insert into <table_name> ($names_of_form_fields)
> values ($values_of_form_fields);
>
> so there you have it.
> I have been to php.net
> I read documentation religiously
> i'm simply asking for help
> anyone?
>
>
> ---------- Forwarded message ----------
> Date: Wed, 13 Jun 2001 15:11:08 -0400 (EDT)
> From: Chadwick Rolfs <c2304182(at)webdevel(dot)urban(dot)csuohio(dot)edu>
> To: pgsql-php(at)postgresql(dot)org
> Subject: Test
>
> I can't seem to post to this list that I keep recieving e-mail from. I
> want to parse a web form through php and put it into a postgresql
> batabase. Who can help? or point me toward the right direction...
> thanks.
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster

aalang(at)rutgersinsurance(dot)com writes:
>
>Plus, you have to make sure to check for apostrophes. That will break
>your
>SQL statement if someone typed them into the text field.
>

Well, this caveat had never occured to me. So how does someone enter
strings with enclosed apostrophes, as in the Irish surname O'Mallory or
the Yemeni placename Sana'a?

Gary

**************************************************************************
* Gary B. Hoffman, Computing Services Manager e-mail: ghoffman(at)ucsd(dot)edu *
* Graduate School of International Relations and Pacific Studies (IR/PS) *
* University of California, San Diego (UCSD) voice: (858) 534-1989 *
* 9500 Gilman Dr. MC 0519 fax: (858) 534-3939 *
* La Jolla, CA 92093-0519 USA web: http://www-irps.ucsd.edu/ *
**************************************************************************

It could fluctuate on each database, so always check the appropriate
documentation, but...

the standard way usually is to double the apostrophe

O'Brien would be O''Brien (the middle is two apostrophes, not a quote)

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Gary Hoffman" <ghoffman(at)ucsd(dot)edu>
To: <pgsql-php(at)postgresql(dot)org>
Cc: <aalang(at)rutgersinsurance(dot)com>
Sent: Thursday, June 14, 2001 1:12 PM
Subject: Re(2): [PHP] Test (fwd)

> aalang(at)rutgersinsurance(dot)com writes:
> >
> >Plus, you have to make sure to check for apostrophes. That will break
> >your
> >SQL statement if someone typed them into the text field.
> >
>
> Well, this caveat had never occured to me. So how does someone enter
> strings with enclosed apostrophes, as in the Irish surname O'Mallory or
> the Yemeni placename Sana'a?
>
> Gary
>
> **************************************************************************
> * Gary B. Hoffman, Computing Services Manager e-mail: ghoffman(at)ucsd(dot)edu *
> * Graduate School of International Relations and Pacific Studies (IR/PS) *
> * University of California, San Diego (UCSD) voice: (858) 534-1989 *
> * 9500 Gilman Dr. MC 0519 fax: (858) 534-3939 *
> * La Jolla, CA 92093-0519 USA web: http://www-irps.ucsd.edu/ *
> **************************************************************************
>
>

The apostrophe being a special character in PostgreSQL (and most other
databases), it needs to be escaped if you wish it to go nicely into a
query..
addslashes() and related functions will help there.

Another thing to keep in mine is htmlspecialchars() -- it's very useful
when someone might put a double quote in your form field -- which could
seriously mess up when you have something like <INPUT TYPE="TEXT"
NAME="Whatever" VALUE="this is what I'm "talking" about"> , sort of thing.

I missed the first post so please excuse me if I'm way off base.. Good
luck!

-Mitch

----- Original Message -----
From: "Adam Lang" <aalang(at)rutgersinsurance(dot)com>
To: <pgsql-php(at)postgresql(dot)org>
Sent: Thursday, June 14, 2001 1:28 PM
Subject: Re: Re(2): [PHP] Test (fwd)

> It could fluctuate on each database, so always check the appropriate
> documentation, but...
>
> the standard way usually is to double the apostrophe
>
> O'Brien would be O''Brien (the middle is two apostrophes, not a quote)
>
> Adam Lang
> Systems Engineer
> Rutgers Casualty Insurance Company
> http://www.rutgersinsurance.com
> ----- Original Message -----
> From: "Gary Hoffman" <ghoffman(at)ucsd(dot)edu>
> To: <pgsql-php(at)postgresql(dot)org>
> Cc: <aalang(at)rutgersinsurance(dot)com>
> Sent: Thursday, June 14, 2001 1:12 PM
> Subject: Re(2): [PHP] Test (fwd)
>
>
> > aalang(at)rutgersinsurance(dot)com writes:
> > >
> > >Plus, you have to make sure to check for apostrophes. That will break
> > >your
> > >SQL statement if someone typed them into the text field.
> > >
> >
> > Well, this caveat had never occured to me. So how does someone enter
> > strings with enclosed apostrophes, as in the Irish surname O'Mallory or
> > the Yemeni placename Sana'a?
> >
> > Gary
> >
> >
**************************************************************************
> > * Gary B. Hoffman, Computing Services Manager e-mail: ghoffman(at)ucsd(dot)edu
*
> > * Graduate School of International Relations and Pacific Studies (IR/PS)
*
> > * University of California, San Diego (UCSD) voice: (858) 534-1989
*
> > * 9500 Gilman Dr. MC 0519 fax: (858) 534-3939
*
> > * La Jolla, CA 92093-0519 USA web: http://www-irps.ucsd.edu/
*
> >
**************************************************************************
> >
> >
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 4: Don't 'kill -9' the postmaster
>

On Thu, Jun 14, 2001 at 06:57:43PM -0400, Mitch Vincent wrote:
> The apostrophe being a special character in PostgreSQL (and most other
> databases), it needs to be escaped if you wish it to go nicely into a
> query..
> addslashes() and related functions will help there.
>
> Another thing to keep in mine is htmlspecialchars() -- it's very useful
> when someone might put a double quote in your form field -- which could
> seriously mess up when you have something like <INPUT TYPE="TEXT"
> NAME="Whatever" VALUE="this is what I'm "talking" about"> , sort of thing.

Also note that the PHP runtime parameter magic_quotes_gpc is usually on
by default which does the escaping by default.

- Frank