0

For example: 

array('u_ad'=>'example name','u_mail'=>'[email protected]','u_sifre'=>'exapmlepass')

Required query:

$sql = "INSERT INTO uyeler 
          (u_ad,u_mail,u_sifre) 
        VALUES 
          ('example name','[email protected]','examplepass')";

How I do that?

Improve this question

3 Answers 3

Reset to default
2 
$sql = "INSERT INTO uyeler (". implode(",", array_keys($array)) .") VALUES ('". implode("','", $array) ."')";
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Which promptly blows up if any of the values have quotes in them... You'd need at MINIMUM array_map the values through mysql_real_escape_string().
@Marc Did I say he shouldn't mysql_real_escape_string() it before?
No, you didn't. Hence the comment, as a warning.
really mysql_real_escape_string () is a problem whether i use it?
Yusef, it's less of an issue if you are hardcoding the strings within your PHP code. But if the values could come from another source, then the risk goes way up. If you are getting values from a configuration file, from the user, from a database record, or some other source, using mysql_real_escape_string will protect you from SQL injection attacks. It will also ensure that the system will work as expected for users who enter special values. Consider the effect if $u_ad is Scott O'Brian, for instance. The INSERT will have invalid syntax using sombe's method without escaping the text.
1

Quick/dirty/unsafe: 

$sql = "INSERT INTO uyeler (u_ad,u_mail,u_sifre) VALUES ('" . $theArray['u_ad'] . "','" . $theArray['u_mail'] . "','" . $theArray['u_sifre'] . "')";

Better:

$ad = mysql_real_escape_string($theArray['u_ad']);
$mail = mysql_real_escape_string($theArray['u_mail']);
$sifre = mysql_real_escape_string($theArray['u_sifre']);

$sql = "INSERT INTO uyeler (u_ad,u_mail,u_sifre) VALUES ('" . $ad . "','" . $mail . "','" . $sifre . "')";
Improve this answer

1 Comment

@Yusuf for one, you haven't provided an example where the table name comes from... two, your version of 'directly' will not respect required columns and likely just cause errors...
1

Don't mess around with escaping! You should be using prepared statements where possible, and using PDO is a good way to do it.

See:

Why you Should be using PHP’s PDO for Database Access
ext/mysqli: Part I - Overview and Prepared Statements

Improve this answer

7 Comments

You mean: don't mess around with escaping when someone else can mess around with it for you? PDO is still escaping ;) {And brings overhead - oh the overhead}
@Rudu If you are asking if I would prefer parameters to be handled for me, then yes, I would. Also, AFAIK, there is no real escaping involved in prepared statements, and they are a good way to help prevent SQL injection.
...I am also happy to accept some additional overhead with PDO if it provides a degree of database agnosticism. If that overhead becomes too much for a given application, it can be optimised as necessary. PDO is just one way to do it.
i dont understand PDO.. What is the PDO? What does PDO?
@Yusuf PDO, or PHP Data Objects "provides a data-access abstraction layer, which means that, regardless of which database you're using, you use the same functions to issue queries and fetch data". It provides a consistent object oriented interface between your application and RDMS. This may be of help: Using PDO Objects in PHP 5
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.