Re: [PHP] Compare and inserting with php

Andrew Ballard Tue, 30 Jun 2009 11:26:11 -0700

On Tue, Jun 30, 2009 at 2:19 PM, Miller,
Terion<tmil...@springfi.gannett.com> wrote:
>
>
>
>
>>>
>>
>> Does this list of inspections exist in the db? Could you not use an
>> INSERT INTO SELECT * FROM TABLE WHERE type statement...much less
>> processing overhead then
>>
>> --
>>
>> Bastien
>>
>> Cat, the other other white meat
>>
>> Hi Bastien,
>>
>> Something like this is what you mean?
>>
>>  if (!empty($Go)) {    $query = "SELECT * FROM restaurants WHERE name = 
>> '$ucName' AND address = '$ucAddress' AND inDate ='$inDate' AND inType = 
>> '$inType' ";    $result = mysql_query ($query);    $row = mysql_fetch_object 
>> ($result);    If (mysql_num_rows($result) == 0) { $sql = "INSERT INTO 
>> `restaurants` (name, address, inDate, inType, notes, critical, cviolations, 
>> noncritical)  VALUES (";    $sql .= " '$ucName', '$ucAddress', '$inDate', 
>> '$inType', '$notes', '$critical', '$cleanViolations', '$noncritical')";      
>>   $result = mysql_query($sql) or die(mysql_error());    }        So if all 
>> three things are met, that entry is in there if not insert right?
>>
>
> More like
>
> sql = "insert into restaurants select * from restaurants where name =
> '$ucName' AND address = '$ucAddress' AND inDate ='$inDate' AND inType
> = '$inType' ";
>
> http://dev.mysql.com/doc/refman/5.0/en/insert-select.html
>
>
>
> --
>
> Bastien
>
> Cat, the other other white meat
>
>
> Well I didn't get anywhere, now I just keep getting this error....
>
>
> Warning: mysql_num_rows(): supplied argument is not a valid MySQL result 
> resource in 
> /var/www/vhosts/getpublished.news-leader.com/httpdocs/ResturantInspections/compare.php
>  on line 119
> You have an error in your SQL syntax; check the manual that corresponds to 
> your MySQL server version for the right syntax to use near 's Roast Beef 
> Restaurant #9459', ' 1833 W Republic Rd ', '3/2/09', '' at line 1
>
> Using this code:
>
>  $query = "SELECT * FROM  restaurants  WHERE  name = '$ucName' AND address = 
> '$ucAddress' AND inDate ='$inDate' AND inType = '$inType' ";    $result = 
> mysql_query ($query);   // $row = mysql_fetch_object ($result);        echo 
> $result;    If (mysql_num_rows($result) == 0) {    $sql = "INSERT INTO 
> `restaurants` (name, address, inDate, inType, notes, critical, cviolations, 
> noncritical)  VALUES (";    $sql .= " '$ucName', '$ucAddress', '$inDate', 
> '$inType', '$notes', '$critical', '$cleanViolations', '$noncritical')";       
>  $result = mysql_query($sql) or die(mysql_error());    }
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


For one thing, that error message shows that you are not properly
escaping the strings you are sending to mysql_query() (specifically,
$ucName in this case). Even if you do get it to work, you'll be
vulnerable to SQL injection.

Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Compare and inserting with php

Reply via email to