I have the following piece of code which sends to each member of mya_users a mail (this is what INSERT into inbox does.
$query_write_mass = "SELECT id FROM mya_users ORDER by artist_real_address ASC";
$result_write_mass = $db->prepare($query_write_mass);
$result_write_mass->execute();
while ( list($receiver_id) = $result_write_mass->fetch(PDO::FETCH_BOTH) ) {
$stmt = $db->prepare
("INSERT INTO inbox(folder_id, sender_id, sender_type, receiver_id,
receiver_type, title, message_body, time, date, flag, spam)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
$stmt->bindValue(1, 0, PDO::PARAM_INT);
$stmt->bindValue(2, 0, PDO::PARAM_INT);
$stmt->bindValue(3, 'x', PDO::PARAM_STR);
$stmt->bindValue(4, $receiver_id, PDO::PARAM_INT);
$stmt->bindValue(5, $receiver_type, PDO::PARAM_STR);
$stmt->bindValue(6, $_POST['title'], PDO::PARAM_STR);
$stmt->bindValue(7, $_POST['body'], PDO::PARAM_STR);
$stmt->bindValue(8, date("G:i:s"), PDO::PARAM_STR);
$stmt->bindValue(9, date("Y-m-d"), PDO::PARAM_STR);
$stmt->bindValue(10, 'n', PDO::PARAM_STR);
$stmt->bindValue(11, '', PDO::PARAM_STR);
$stmt->execute();
}
what I want is to keep the benefits of security and escaping of PDO prepared statements,
BUT insert say 10 rows at a time, so if I have 40k inserts I would benefit of multiple value insert speed and keep the number of inserts low.
thanks
First, let me assure you that constant value is perfectly secure. So, you can dramatically reduce the number of bound parameters in your code
INSERT INTO inbox(folder_id, sender_id, sender_type, receiver_id,
receiver_type, title, message_body, dt, flag, spam)
VALUES (0, 0, 'x', ?, ?, ?, ?, NOW(), 'n', '')");
I also combined two fields date and time into one dt, as there is no reason to have them separated, yet it can let us use shorter code.
And now you can turn to the next step - using INSERT .. SELECT approach
INSERT INTO inbox(folder_id, sender_id, sender_type, receiver_id,
receiver_type, title, message_body, dt, flag, spam)
SELECT 0, 0, 'x', id, ?, ?, ?, NOW(), 'n', ''
FROM mya_users ORDER by artist_real_address ASC
and bind your data to only three remaining variables!
Related
I am trying to fix my sql problem for 3 hours and I cant find the little thing the destroy my code.
The error :
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order, image, category_id) VALUES('test', 'test', '<p>test' at line 1
The query: All the variables they are post fields that sended.
try {
$statement = $link->prepare("INSERT INTO `info_pages` (name, title, text, img_credits, meta_title, meta_keywords, order, image, category_id) VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?)");
$statement->execute(array($main_title, $side_title, $content, $img_credits, $meta_title, $meta_keywords, $order, $image, $category_id));
//echo $BNL->msg("הדף <b>{$main_title}</b> נוצר בהצלה, הנך מועבר...", true);
//echo $BNL->MoveTo($url."index.php?page=info_pages",1);
if (!$statement->execute()) {
print_r($statement->errorInfo());
}
} catch(PDOException $e){
echo $BNL->msg("<b>שגיאה</b>, צרו קשר עם המנהל");
}
grave is more commonly referred to as a "backtick", which MySQL uses to escape MySQL reserved words.
Already #Mat said his comment that you used reserve word in your statement that why its thrown error and that is "order",so if you use this type reserve word you have write your query below way.
("INSERT INTO `info_pages`
(`name`,
`title`,
`text`,
`img_credits`,
`meta_title`,
`meta_keywords`,
`order`,
`image`,
`category_id`)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");
Though i used for every column but not needed that you can use it for only "order" column
I am using this code:
$image = mysqli_real_escape_string($dbc, $res[3][$i]);
Where $res[3][$i] is a url.
Then I store $image in a Mysql DB. But when I retrieve it, it's all messed up with the special characters... (my DB is in utf8).
How can I store a url in mysql and get it back exactly as it was?
Thanks
Actually I am using prepared statement:
$image = mysqli_real_escape_string($dbc, $res[3][$i]);
$md5_of_title = md5($title);
//$query = "INSERT IGNORE INTO scrap (date, journal, section, title, href, teaser, image, md5_of_title) VALUES (?, ?, ?, ?, ?, ?, ?, ?)";
$query = "INSERT INTO scrap (date, journal, section, title, href, teaser, image, md5_of_title) VALUES (?, ?, ?, ?, ?, ?, ?, ?)";
$stmt = mysqli_prepare($dbc, $query);
/*i Integers;
d Doubles;
b Blobs;
s Everything Else;*/
mysqli_stmt_bind_param($stmt, "ssssssss", date('Y-m-d H:i:s'), $name, $section, $title, $href, $teaser, $image, $md5_of_title);
mysqli_stmt_execute($stmt);
I'm breaking my brains over this, i would realy appriciate help!
This is the code i have so far..
$conn = db_connect();
$sql = "INSERT INTO measurements
(`date`, `weight`, `waist`, `id`) VALUES (?,?,?,?)";
$stmt = $conn-> prepare($sql);
$stmt ->bind_param("sddi", $date, $_POST['weight'], $_POST['waist'], $user_id);
$stmt->execute();
$stmt->close();
$conn->close();
Its a prepared statement for an sql insert. Now i want to change it to a IF EXIST THEN UPDATE ELSE insert the way i am doing right now. something like this but then with a prepared statement:
IF EXISTS
(SELECT * FROM measurements WHERE user_id=’4’)
UPDATE measurements SET (`weight`=40, `waist`=45) WHERE user_id=’4’
ELSE
INSERT INTO measurements
VALUES (`date`='week 1', `weight`= 40, `waist`=45, `id`=4)
I found some articles on stackoverflow about the if EXIST then update else insert but i did not find it with a prepared statement in it that worked for me.
Thanks a thousand!
UPDATE:
i've changed it to dublicate key style.
$sql = "
INSERT INTO measurements (uniqueID, date, weight, waist)
VALUES ('$uniqueID', '$date', '$weight', '$waist')
ON DUPLICATE KEY UPDATE weight= '$weight', waist= '$waist'";
$conn->query($sql);
Now the second part of the question, how do i make this a prepared statement?
To implement Mr. Jones' solution as a mysqli prepared statement, you would code it thus:
$sql = "INSERT INTO measurements
(`uniqueID`, `date`, weight, waist)
VALUES
(?, ?, ?, ?)
ON DUPLICATE KEY
UPDATE weight = ?, waist = ?";
$stmt = $conn->prepare($sql);
$stmt ->bind_param("isdddd", $user_id, $date, $_POST['weight'], $_POST['waist'], $_POST['weight'], $_POST['waist']);
$stmt->execute();
A slightly cleaner implementation would be to use PDO:
$sql = "INSERT INTO measurements
(`uniqueID`, `date`, weight, waist)
VALUES
(:uniqueId, :date, :weight, :waist)
ON DUPLICATE KEY
UPDATE weight = :weight, waist = :waist";
/* $conn is a PDO object */
$stmt = $conn->prepare($sql);
$stmt->execute(array(':uniqueId' => $user_id, ':date' => $date, ':weight' => $_POST['weight'], ':waist' => $_POST['waist']));
Note that with named placeholders, you can use the same name in more than one place and only need to assign the value once.
MySQL's approach to this is INSERT ... ON DUPLICATE KEY UPDATE .... It works well; in particular it avoids race conditions if more than one database connection tries to hit the same row.
This requires the table that's the target of your UPSERT to have a meaningful unique index or primary key. It looks like your id is that key.
You can absolutely use parameter binding to present data to this.
You can read about it here. http://dev.mysql.com/doc/refman/5.7/en/insert-on-duplicate.html
This question is about why something is working.
Using unnamed placeholders in PHP PDO:
$STH = $connection->prepare("INSERT INTO Person (firstname, lastname, age) values ("?, ?, ?")");
$STH->execute($the_data);
This sort of insertion works correctly.
However, it still works if written as
$STH = $connection->prepare("INSERT INTO Person () values ("?, ?, ?")");
$STH->execute($the_data);
Huh?
Are attribute names just syntactic sugar or something?
You need to bind values before execute.
This is right way:
$STH = $connection->prepare('INSERT INTO Person (firstname, lastname, age) values (?, ?, ?)');
$STH->bindValue(1, 'MyFirstName', PDO::PARAM_STR);
$STH->bindValue(2, 'MyLastName', PDO::PARAM_STR);
$STH->bindValue(3, 28, PDO::PARAM_INT);
$STH->execute();
I keep getting an incorrect string value error in my Rake Task when I go to insert into my DB for one specific record. I tried converting it to UTF8 after reading several posts here on it but still have not resolved the issue (no guarantee I did that right). Any thoughts on what else it could be? Anything I left out?
MySQL Server Community 5.5
Conversion Code:
ic = Iconv.new('UTF-8//IGNORE', 'UTF-8')
#summary = ic.iconv(bug.summary << ' ')[0..-2]
Create Code:
JiraBug.create(
:issue => bug.key,
:summary => #summary,
:reporter_name => reporter_name,
:assignee_name => assignee_name,
:weight => weight, :issue_created => issue_created,
:issue_updated => issue_updated,
:jira_it_division_id => #it_division_id,
:jira_project_id => #project_id,
:jira_priority_id => #priority_id,
:jira_status_id => #status_id,
:jira_originating_phase_id => #originating_phase_id,
:jira_detection_phase_id => #detection_phase_id,
:jira_version_id => #version_id,
:jira_version_name => #version_name,
:death_burrito_application_id => #jira_id
)
Offending String:
"Instance Blueprints → aa-test-kim → Module/Domain Objects - there is
a drop down title \"ID [REMOVEME]\". I don't think the 'removeme'
belongs."
Error
Mysql::Error: Incorrect string value: '\xE2\x86\x92 aa...' for column
'summary' at row 1: INSERT INTO jira_bugs (assignee_name,
created_at, death_burrito_application_id, issue,
issue_created, issue_updated, jira_detection_phase_id,
jira_it_division_id, jira_originating_phase_id,
jira_priority_id, jira_project_id, jira_status_id,
jira_version_id, jira_version_name, reporter_name, summary,
updated_at, weight) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?) [1m[35m (1.0ms)[0m ROLLBACK Mysql::Error:
Incorrect string value: '\xE2\x86\x92 aa...' for column 'summary' at
row 1: INSERT INTO jira_bugs (assignee_name, created_at,
death_burrito_application_id, issue, issue_created,
issue_updated, jira_detection_phase_id, jira_it_division_id,
jira_originating_phase_id, jira_priority_id, jira_project_id,
jira_status_id, jira_version_id, jira_version_name,
reporter_name, summary, updated_at, weight) VALUES (?, ?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
I wound up doing a record specific hack for right now.
#summary = bug.summary.gsub(/→/,'>')
Not the greatest solution but until I find a better way this will have to do