FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » update mysql without manually tying SET statements
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: update mysql without manually tying SET statements [message #178178 is a reply to message #178171] Fri, 18 May 2012 08:49 Go to previous messageGo to previous message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma:
Senior Member
On 5/17/2012 1:14 PM, IRC wrote:
> On May 16, 9:48 pm, "M. Strobel"<sorry_no_mail_h...@nowhere.dee>
> wrote:
>> Am 16.05.2012 16:12, schrieb apavl...@gmail.com:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> I am trying to setup some generic code that will allow me to update a mysql database via form and php. I can capture the data in the row of the database that I want to update. I can present that in a form populated with the existing values. What I can't figure out how to do is to avoid typing out the SET statements in the update query.
>>
>>> ex
>>
>>> $sql = "update myhugedatabase
>>> SET
>>> reporter = '$_POST[reporter]',
>>> date = '$_POST[date]',
>>> district = '$_POST[district]',
>>> village = '$_POST[village]',
>>> school = '$_POST[school]',
>>> address = '$_POST[address]',
>>> teacher = '$_POST[teacher]',
>>> teacher_contact = '$_POST[teacher_contact]',
>>> alt_teach = '$_POST[alt_teach]',
>>> alt_teach_contact = '$_POST[alt_teach_contact]',
>>> gps = '$_POST[gps]',
>>> etc
>>> etc
>>> etc
>>
>>> The reason I want to do this is because I manage many projects all with their own variables and databases and the update is the only part that I have to type in manually.
>>
>> If you don't use a framework, you must type in a SET statement for every single
>> column you want to save in the database. There is no getting around it. You must do
>> it at least once for every table.
>>
>> You would normally do even more: apply some test/validation on every field, and make
>> sure required fields are not empty, and number fields contain numbers...
>>
>> You do this nowadays with prepared statements, to be protected against SQL injection
>> attacks.
>>
>> If you want generic code, you must define the fields and their properties somewhere
>> else in your code, this is normally not less work.
>>
>> /Str.
>
> I agree with Strobel.
>
> You have to create a function once (which can be generic) which will
> process your update statement and you just pass an array of $_POST
> data into that function and it will process it accordingly.
>
> It may be worthwhile to look into ADODB database library found on php
> http://adodb.sourceforge.net/

+1 on adodb. I have always used it with pleasure: a simple clear approach.

But prepared statements are just one way to avoid SQL injection.
One could also simply use the right string-escape-function.
Both approaches are OK.

Regards,
Erwin Moller

--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: table appears with empty rows, and row data appears before table. Code seems ok. What is going on?
Next Topic: Dynamic water marking (redirect?)
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 30 06:22:25 GMT 2024

Total time taken to generate the page: 0.04495 seconds