0

i have this function 

protected function insert($data){
        $data['datecreated'] = date('Y-m-d h:i:s');
        echo "array_keys(data) = ".$data['datecreated'];
        var_dump($data);
        echo array_keys($data);
        $sql = "INSERT INTO {$this->table_name} (".  array_keys($data).")"; 
        $sql.= " VALUES ('";
        $sql.=implode("','", $data);
        $sql.=")";
        $this->execute($sql);
        $this->last_id = mysql_insert_id();
    }

when i read the array_keys($data) it returns 'Array' not the key i call it like this $this->insert(array()); why is that ? EDIT : this is the output 

array_keys(data) = 2012-05-18 04:44:46array(2) { [0]=> array(0) { } ["datecreated"]=> string(19) "2012-05-18 04:44:46" } Array
Notice: Array to string conversion in /Applications/MAMP/htdocs/Tamara/model/dbTable.php on line 105
INSERT INTO account (Array) VALUES ('Array','2012-05-18 04:44:46)You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2012-05-18 04:44:46)' at line 1
Improve this question
1
  • array_keys( ) returns an array, not a string. Commented May 18, 2012 at 13:49

2 Answers 2

Reset to default
5

array_keys returns an array with all the keys. You need to implode that aswell

implode(',', array_keys($data));

Edit: And you might want to take a look at this part

$sql.=implode("','", $data);
$sql.=")";

You need need a starting and trailing '.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thanks alot dude i upvote the question but to check it i need 7 minutes as they told me
No problem. Dont forget to sanitize your input with mysql_real_escape_string or look into using PDO/MySQLi with prepared statements to protect your app against SQL injection
1

What you want is implode(',', array_keys($data)) since array_keys() returns an array containing all the keys - but you want a comma-separated string:

$sql = "INSERT INTO {$this->table_name} (".implode(',', array_keys($data)).")";

By the way, I hope that the values in $data are already escaped. If not, replace implode("','", $data) with implode("','", array_map('mysql_real_escape_string', $data))

Improve this answer

3 Comments

My recommendation is to never assume that anything is pre escaped, it almost always results in some one missing to escape somewhere.
Indeed, escaping should happen at the place where the query is built (or even better, it shouldn't be necessary due to the use of prepared statement or parametrized queries). But while double-escaping is "safe" it'd result in ugly backslashes in the actual data that is stored.
True which is why escaping should (when as noted is needed) always be done only when building, and never stored in escaped version within the code. This is extra work but worth every bit, byte and second it takes when it comes to security.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.