1

I tried to find another question with the answer to this but I've had no luck. My question is basically...will this work?

$insert_tweets = "INSERT INTO tweets (
  'id',
  'created_at',
  'from_user_id',
  'profile_image',
  'from_user',
  'from_user_name',
  'text' 
  ) VALUES (
  {$user_data[$i]["id"]},
  {$user_data[$i]["created_at"]},
  {$user_data[$i]["from_user_id"]},
  {$user_data[$i]["profile_image"]},
  {$user_data[$i]["from_user"]},
  {$user_data[$i]["from_user_name"]},
  {$user_data[$i]["text"]}
)"

        for($i=0;$i<count($user_data);$i++){
            mysqli_query($mysqli,$insert_tweets);
        }

$user_data is a multi-dimensional array, the first level of which is numeric, the subsequent level is associative.

Also, what would be the best way to "database prepare"/sanitize the associative array variables prior to insertion? I don't anticipate any malicious data but it is always possible.

Improve this question
2
  • Yes it will work if you fix the syntax error, missing ; at the end of the SQL and move the sql string inside your for loop. string after )" Commented Jul 27, 2012 at 2:46
  • you don't need the single quotes around the column names Commented Jul 27, 2012 at 2:49

3 Answers 3

Reset to default
3 
        for($i=0;$i<count($user_data);$i++){
            $insert_tweets = "INSERT INTO tweets ('id','created_at','from_user_id','profile_image','from_user','from_user_name','text') VALUES ({$user_data[$i]["id"]},{$user_data[$i]["created_at"]},{$user_data[$i]["from_user_id"]},{$user_data[$i]["profile_image"]},{$user_data[$i]["from_user"]},{$user_data[$i]["from_user_name"]},{$user_data[$i]["text"]})";
            mysqli_query($mysqli,$insert_tweets);
        }

This should work

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Oh gees, what a stupid error. Thanks for catching that. In short, the SQL statement looks okay though?
Hey Try this and tell me what happens.
3

Yes, it will work, but the best way to do this would be to use PDO.

You can create nameless parameters in your prepare statement and then just pass in a array to bind values to those params.

$data = array('val1', 'val2');
$query = $db->prepare("INSERT INTO table (col1, col2) VALUES (? , ?)");
$query->execute($data);

PDO will escape the input values for you.

Here's a tutorial on PDO to get you started http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

Improve this answer

Comments

1

Here is my suggestion on sanitizing your array:

What i do is create a basic function for sanitizing data:

function array_sanitize(&$item){
    $item = mysql_real_escape_string($item);
}

Then you can use the array_walk() to sanitize your array with your new function. (php manual refrence)

and sanitize by passing in your array like this:

array_walk($user_data, 'array_sanitize');
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.