0

So i have a script similar to the one below. I am trying to write a sql script within this php script that will be doing some updating or inserting depending on the condition. However I am running into a problem with how i have concatenated my variables within the script. The while loop does not work, but before this I had the for loop running and that seemed to work properly. What I am doing wrong here?

P.s. I know many of you will complain about sql injection, but this is an in house project within our company so everything is secure within a seperate network and a seperate VM this is being hosted on and tested.

   <?php
include_once 'DbConnectPSI.php';
    global $connect;
    global $record3;
    global $emptyQ;
    global $rightOn;
    global $i;
    global $SqlArr;
    $rightOn="Thank you, your time has been inserted successfully";
    $i = 0;
    $SqlArr = $_POST['SqlArr'];

    while($i <= sizeof($SqlArr)) {
        $emptyQ = "IF Exists (Select * from EmployeeTimesheetstemp where empid= $SqlArr[$i][0]  and Day= '$SqlArr[$i][2]'  and Title='$SqlArr[$i][3]' and Description='$SqlArr[$i][4]')
        Update EmployeeTimesheetstemp Set Value=$SqlArr[$i][5] where empid=$SqlArr[$i][0] and Day='$SqlArr[$i][2]' and Title='$SqlArr[$i][3]' and Description='$SqlArr[$i][4]'
        Else Insert into EmployeeTimeSheetstemp(EmpId,WkEnd,Day,Title,Description,Value,Timestamp,Abbrevjob) Values";
        $emptyQ = $emptyQ . '('. $SqlArr[$i][0]. ', ' . "'". $SqlArr[$i][1] ."'" . ', '. "'". $SqlArr[$i][2] ."'"  .', '. "'". $SqlArr[$i][3] ."'"  .', '. "'". $SqlArr[$i][4] ."'"  .', '.  $SqlArr[$i][5]  .',' . 'getDate()' . ', '.  $SqlArr[$i][6]  .')';
        $i = $i + 1;    
    }
    $record3 = odbc_exec($connect, $emptyQ);
    //echo ($rightOn);
    echo($emptyQ);      
    odbc_close($connect);
    ?>

FOR LOOP:

 $emptyQ="Insert into EmployeeTimesheetsTemp (EmpId, WkEnd,Day,Title,Description,Value,TimeStamp,AbbrevJob) Values";

    for ($i=0;$i<sizeof($SqlArr);$i++) {
        if($i==sizeof($SqlArr)-1){

        $emptyQ=$emptyQ . '('. $SqlArr[$i][0]. ', ' . "'". $SqlArr[$i][1] ."'" . ', '. "'". $SqlArr[$i][2] ."'"  .', '. "'". $SqlArr[$i][3] ."'"  .', '. "'". $SqlArr[$i][4] ."'"  .', '.  $SqlArr[$i][5]  .',' . 'getDate()' . ', '.  $SqlArr[$i][6]  .')';
        }
        else{

        $emptyQ=$emptyQ . '('. $SqlArr[$i][0]. ', ' . "'". $SqlArr[$i][1] ."'"  .', '. "'". $SqlArr[$i][2] ."'"  . ', '. "'". $SqlArr[$i][3] ."'"  .', '. "'". $SqlArr[$i][4] ."'"  .', '.  $SqlArr[$i][5]  .',' . 'getDate()' .', '.  $SqlArr[$i][6]  .'),';
        }

     }
Improve this question
7
  • 3
    I know many of you will complain about sql injection, but this is an in house project within our company so everything is secure ... That's not an excuse to get in the habit of writing sloppy code that can easily break from how you're concatenating it. Use proper prepared-statements, and quite possibly your problem will go away. Commented Oct 29, 2015 at 19:00
  • please update your question to include the contents of your $_POST Commented Oct 29, 2015 at 19:02
  • Agree with Siyual. Plus, it's impossible for the rest of us to read. Typically, although it's more work, when you follow the same process as the rest of the community people are more likely to help. Commented Oct 29, 2015 at 19:02
  • I've done something like this ... it's typically a quoting nightmare. For starters, check out your initial assignment statement for $emptyQ ... it's got stuff inside the quotes that needs to be "out" of the quotes (e.g. $foo[$n][123]) Commented Oct 29, 2015 at 19:03
  • Please learn to use prepared statements Commented Oct 29, 2015 at 19:03

1 Answer 1

Reset to default
1

You're doing multi-dimensional arrays in "-quoted strings. You need to take special care of those:

$foo[0][1] = 'bar';
echo "$foo[0][1]"; // output: Array[1]

PHP's parser isn't greedy, and by default stops after the FIRST array dereference, and treats everything else as plain text. You either need to do string concatenation, or use the {}-extended syntax:

echo "" . $foo[0][1] . "";
echo "{$foo[0][1]}";

both of those would output bar.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

So the syntax i used for my for-loop should transfer over to my while loop? this is the response my script is spitting out write now... IF Exists (Select * from EmployeeTimesheetstemp where empid= [0] and Day= '[2]' and Title='[3]' and Description='[4]') Update EmployeeTimesheetstemp Set Value=[5] where empid= and Day='[2]' and Title='[3]' and Description='[4]' Else Insert into EmployeeTimeSheetstemp(EmpId,WkEnd,Day,Title,Description,Value,Timestamp,Abbrevjob) Values(, '', '', '', '', ,getDate(), )

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.