0

I'm trying to parse a number of CSV files from a product feed. I'm using the code below to grab the data from the CSV, and process row by row for insertion in to a MySQL db. For some reason every once and a while the addslashes function seems to skip the escape sequence. What am I doing wrong here?

while (($data = fgetcsv($fh, 2000, ",")) !== FALSE)
{           
    $num = count($data);
    $nl = 0; 

    for ($c=0; $c < $num; $c++)  
    {
        $nl++;  
        if ($c >= 0)
        {
            if ($nl == 1)
            {
                $Name = addslashes($data[$c]);
            }
            if ($nl == 2)
            {
                $URL = $data[$c];
            }
            if ($nl == 3)
            {
                $CatalogName = addslashes($data[$c]);
            }
            if ($nl == 4)
            {
                $LastUpdated = $data[$c];
            }
        }
    }
    if ($headerRow > 40) 
    {   
        $sql = "INSERT INTO table (name,url,catname,updated) VALUES ('$Name','$URL','$CatalogName','$LastUpdated')";
                mysqli_query($connection3,$sql) or die("Can't execute query I001.);
    }
}
Improve this question
10
  • 2
    Either use parametrized queries, or use mysqli_real_escape_string Commented Nov 3, 2013 at 18:35
  • 1
    Why are you injecting values into the SQL query if you're using MySQLi? Use prepared statements/bind variables Commented Nov 3, 2013 at 18:35
  • 2
    I also don't understand why you're using a for loop. Just do $Name = addslashes($data[1]); $URL = $data[2]; etc. Commented Nov 3, 2013 at 18:38
  • Please fix your code indentation. It looks like the query is inside the for loop. Commented Nov 3, 2013 at 18:39
  • 2
    The escapes are not stored in the DB, they're just used to make the SQL query parse correctly. Commented Nov 3, 2013 at 18:45

1 Answer 1

Reset to default
1

for a parameterized query (http://php.net/manual/en/mysqli.prepare.php):

$sql=$connection3->prepare("INSERT INTO table (name,url,catname,updated) VALUES (?,?,?,?)");
$sql->bind_param('ssss',$Name,$URL,$CatalogName,$LastUpdated);
$results=$sql->execute(); //results contains whether or not the execute was successful.

While this is "Object oriented style" the actual functionality of this statement will work whether or not you prefer "objects" to "procedural style", it's all in the style. In any case, it will work and there are procedural examples in the docs.

in fact, here's how you do it procedurally:

$stmt=mysqli_prepare($connection3, "INSERT INTO table (name,url,catname,updated) VALUES (?,?,?,?)");
mysqli_stmt_bind_param($stmt, "ssss", $Name,$URL,$CatalogName,$LastUpdated);
mysqli_stmt_execute($stmt);

Now you don't have to worry about escaping your statement, but you still do have to sanitize your entries to prevent cross site scripting and other security risks.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Would I include all 3 statements on every iteration of the loop, or just do the first line once outside the loop, and the last two statements on every iteration?
You can set up the prepare outside the loop then bind the parameters and execute inside the loop

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.