Re: Compare and inserting with php

Andrew Ballard <aballard@xxxxxxxxx> · Tue, 30 Jun 2009 14:24:46 -0400

On Tue, Jun 30, 2009 at 2:19 PM, Miller,
Terion<tmiller@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>
>
>
>>>
>>
>> Does this list of inspections exist in the db? Could you not use an
>> INSERT INTO SELECT * FROM TABLE WHERE type statement...much less
>> processing overhead then
>>
>> --
>>
>> Bastien
>>
>> Cat, the other other white meat
>>
>> Hi Bastien,
>>
>> Something like this is what you mean?
>>
>>  if (!empty($Go)) {    $query = "SELECT * FROM restaurants WHERE name = '$ucName' AND address = '$ucAddress' AND inDate ='$inDate' AND inType = '$inType' ";    $result = mysql_query ($query);    $row = mysql_fetch_object ($result);    If (mysql_num_rows($result) == 0) { $sql = "INSERT INTO `restaurants` (name, address, inDate, inType, notes, critical, cviolations, noncritical)  VALUES (";    $sql .= " '$ucName', '$ucAddress', '$inDate', '$inType', '$notes', '$critical', '$cleanViolations', '$noncritical')";        $result = mysql_query($sql) or die(mysql_error());    }        So if all three things are met, that entry is in there if not insert right?
>>
>
> More like
>
> sql = "insert into restaurants select * from restaurants where name =
> '$ucName' AND address = '$ucAddress' AND inDate ='$inDate' AND inType
> = '$inType' ";
>
> http://dev.mysql.com/doc/refman/5.0/en/insert-select.html
>
>
>
> --
>
> Bastien
>
> Cat, the other other white meat
>
>
> Well I didn't get anywhere, now I just keep getting this error....
>
>
> Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/getpublished.news-leader.com/httpdocs/ResturantInspections/compare.php on line 119
> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Roast Beef Restaurant #9459', ' 1833 W Republic Rd ', '3/2/09', '' at line 1
>
> Using this code:
>
>  $query = "SELECT * FROM  restaurants  WHERE  name = '$ucName' AND address = '$ucAddress' AND inDate ='$inDate' AND inType = '$inType' ";    $result = mysql_query ($query);   // $row = mysql_fetch_object ($result);        echo $result;    If (mysql_num_rows($result) == 0) {    $sql = "INSERT INTO `restaurants` (name, address, inDate, inType, notes, critical, cviolations, noncritical)  VALUES (";    $sql .= " '$ucName', '$ucAddress', '$inDate', '$inType', '$notes', '$critical', '$cleanViolations', '$noncritical')";        $result = mysql_query($sql) or die(mysql_error());    }
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

For one thing, that error message shows that you are not properly
escaping the strings you are sending to mysql_query() (specifically,
$ucName in this case). Even if you do get it to work, you'll be
vulnerable to SQL injection.

Andrew

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php