Re: update mysql without manually tying SET statements

On 5/17/2012 1:14 PM, IRC wrote:
On May 16, 9:48 pm, "M. Strobel"<sorry_no_mail_h...@xxxxxxxxxxx>
wrote:
Am 16.05.2012 16:12, schrieb apavl...@xxxxxxxxx:









I am trying to setup some generic code that will allow me to update a mysql database via form and php. I can capture the data in the row of the database that I want to update. I can present that in a form populated with the existing values. What I can't figure out how to do is to avoid typing out the SET statements in the update query.

ex

$sql = "update myhugedatabase
SET
reporter = '$_POST[reporter]',
date = '$_POST[date]',
district = '$_POST[district]',
village = '$_POST[village]',
school = '$_POST[school]',
address = '$_POST[address]',
teacher = '$_POST[teacher]',
teacher_contact = '$_POST[teacher_contact]',
alt_teach = '$_POST[alt_teach]',
alt_teach_contact = '$_POST[alt_teach_contact]',
gps = '$_POST[gps]',
etc
etc
etc

The reason I want to do this is because I manage many projects all with their own variables and databases and the update is the only part that I have to type in manually.

If you don't use a framework, you must type in a SET statement for every single
column you want to save in the database. There is no getting around it. You must do
it at least once for every table.

You would normally do even more: apply some test/validation on every field, and make
sure required fields are not empty, and number fields contain numbers...

You do this nowadays with prepared statements, to be protected against SQL injection
attacks.

If you want generic code, you must define the fields and their properties somewhere
else in your code, this is normally not less work.

/Str.

I agree with Strobel.

You have to create a function once (which can be generic) which will
process your update statement and you just pass an array of $_POST
data into that function and it will process it accordingly.

It may be worthwhile to look into ADODB database library found on php
http://adodb.sourceforge.net/

+1 on adodb. I have always used it with pleasure: a simple clear approach.

But prepared statements are just one way to avoid SQL injection.
One could also simply use the right string-escape-function.
Both approaches are OK.

Regards,
Erwin Moller

--
"That which can be asserted without evidence, can be dismissed without evidence."
-- Christopher Hitchens
.

Relevant Pages

  • Re: OT: MySQL versus PostgreSQL and database design
    ... and avoiding an absolute "the design is broken" pronouncement. ... calculation, give me a database with 100,000 tables. ... Another general note -- just as blank fields is evidence for a poor ... separate databases for separate kinds of data, ...
    (rec.crafts.metalworking)
  • Re: Sanitizing form input for use in MySQL queries
    ... I tried this extension for a recent project and I eventually wrote a custom wrapper to add prepared statements to regular mysql_* functions and forget about this mess. ... You don't necessarily use PDO to build a database-agnostic app: you use it so you don't need to learn an enterily new PHP extension for each database engine. ... what if the customer is Brian O'Hara? ...
    (comp.lang.php)
  • Re: Database of questionable links
    ... and will use a text database program for it. ... I'm thinking of using different fields for "evidence for" and "evidence ... For example "Need to find a baptism for William Jones to show who his parents ... I've also only created an index report and not a full one. ...
    (soc.genealogy.computing)
  • Re: Sanitizing form input for use in MySQL queries
    ... and it's unlikely we will be changing our database engines in ... To guard against SQL injection, if I use "prepared statements", is this ... You should apply validation to all data that comes into your ...
    (comp.lang.php)
  • Re: How the Darwinists caused the holocaust
    ... they searched a database of only 4 elements by possibly running the ... search algorithm, and the result was reliable just a percentage of the ... would be an obvious fact to you that freedom is real. ... eventhough the evidence is actually solid ...
    (talk.origins)