Database Insert

Christopher R. · August 11, 2011, 07:05:33 PM

Hi all,

I'm working on custom page where I'm adding content to a database from user based input and I was wondering how to properly escape the input and insert the data into the database. Could anyone show me an easy to understand example?

All Colours Sam · August 11, 2011, 07:41:05 PM

Really depends on what SMF version are you using.

for 2.0 you can use $smc to sanitize your data:

Code Select


		global $smcFunc;
 
		$toclean = $smcFunc['htmlspecialchars']($toclean, ENT_QUOTES);
		$toclean = $smcFunc['htmltrim']($toclean, ENT_QUOTES);

if your using 1.1.x then you can use the normal php functions trim(); and htmlspecialchars();

Christopher R. · August 11, 2011, 07:47:06 PM

Oh, that's right.. I forgot to mention what version I'm running. I'm using version 2.0. With $smcFunc['htmlspecialchars'] can I pass in an array of content to sanitize?

All Colours Sam · August 11, 2011, 08:18:00 PM

if you want to clean up every entry in the array use a foreach() as far as I know $smcFunc['htmlspecialchars'] does only do strings

Christopher R. · August 11, 2011, 08:47:06 PM

Quote from: Miss All Sunday on August 11, 2011, 08:18:00 PM
if you want to clean up every entry in the array use a foreach() as far as I know $smcFunc['htmlspecialchars'] does only do strings

Thanks! Now, I just need to figure out how to insert into the database properly. I'm using a lot of different data-types too.. strings, int, bool etc.. etc.. so would be nice to see how these would be inserted into the database, because I'm completely lost on how to do it. I can't understand the example here: http://www.simplemachines.org/community/index.php?topic=224166.0#post_db_insert

Could someone rewrite that example with more real-world content with maybe what I have so I can learn from example?

All Colours Sam · August 11, 2011, 08:55:31 PM

a simple way to insert an int for example will be:

Code Select

<?php

		global  $smcFunc;

		// Check the $_POST variable
		if (empty($_POST['something']))
			fatal_lang_error('no_post', false);

		// Cleaning		
		$something = $smcFunc['htmlspecialchars']($_POST['something'], ENT_QUOTES);

		// Lets do the insert
		$smcFunc['db_insert']('replace',
            '{db_prefix}some_table',
            array(
                'something' => 'int' // Since its a int, lets declare int here
            ),
            array(
                $something  // the value we are gonna insert
            ),
            array('something') //  the keys, this is just for sqlite and such
        );

thats about it, this will insert an int ($something) into the table: some_table, for a string you use

array(
'something' => 'string'

Stumpy · August 15, 2011, 12:05:44 PM

What field will it insert it into?

IchBin™ · August 16, 2011, 11:56:40 AM

In her example, $something is what is getting inserted into the database.

News:

Database Insert