pg_insert

(PHP 4 >= 4.3.0, PHP 5, PHP 7, PHP 8)

pg_insert — 将数组插入到表中

说明

pg_insert(
    PgSql\Connection $connection,
    string $table_name,
    array $values,
    int $flags = PGSQL_DML_EXEC
): PgSql\Result|string|bool

pg_insert() 将 values 中的值插入到由 table_name 指定的表中。

如果指定 flags，则 pg_convert() 使用指定 flag 应用于 values。

默认情况下 pg_insert() 传递原始值。值必须转义或必须在 flags 中指定 PGSQL_DML_ESCAPE flag。PGSQL_DML_ESCAPE 引用并转义参数/标识符。因此，表/列名称变得区分大小写。

注意转义和预处理查询都不能保护 LIKE 查询、JSON、Array、Regex 等，这些参数要根据上下文来处理。即转义/验证值。

参数

connection: PgSql\Connection 实例。
table_name: 要插入记录的表名。表 table_name 中的列必须至少要有 values 中的单元那么多。
values: array，其键是表 table_name 中的字段名称，其值是要插入的匹配行。
flags: 任意数量的 PGSQL_CONV_OPTS、PGSQL_DML_NO_CONV、PGSQL_DML_ESCAPE、PGSQL_DML_EXEC、PGSQL_DML_ASYNC 或 PGSQL_DML_STRING 的组合。当 PGSQL_DML_STRING 是 flags 的一部分，然后将返回查询字符串。当设置了 PGSQL_DML_NO_CONV 或 PGSQL_DML_ESCAPE 时，不会在内部调用 pg_convert()。

返回值

成功时返回 true，或者在失败时返回 false。如果通过 flags 传递 PGSQL_DML_STRING，成功时返回 string。

错误／异常

当指定的表无效时，会抛出 ValueError。

当字段的值或类型不能正确匹配 PostgreSQL的类型时，会抛出 ValueError 或 TypeError。

更新日志

版本	说明
8.3.0	当指定的表无效时，现在会抛出 ValueError 错误；之前触发 `E_WARNING`。
8.3.0	当字段的值或类型不能正确匹配 PostgreSQL 的类型时，现在会抛出 ValueError 或 TypeError 错误；之前触发 `E_WARNING`。
8.1.0	现在返回 PgSql\Result 实例，之前返回 resource
8.1.0	现在 `connection` 参数接受 PgSql\Connection 实例，之前接受 resource。

示例

示例 #1 pg_insert() 示例

<?php 
  $dbconn = pg_connect('dbname=foo');
// 在某种程度上安全，因为所有值都转义了。
  // 然而 PostgreSQL 支持 JSON/Array。无论是
  // 转义还是预处理都不安全。
$res = pg_insert($dbconn, 'post_log', $_POST, PGSQL_DML_ESCAPE);
  if ($res) {
      echo "POST data is successfully logged\n";
  } else {
      echo "User must have sent wrong inputs\n";
  }
?>

参见

pg_convert() - 将关联的数组值转换为适合 SQL 语句的格式

发现了问题？

了解如何改进此页面 • 提交拉取请求 • 报告一个错误

＋添加备注

用户贡献的备注 9 notes

down

shane at treesandthings dot com ¶

21 years ago

Returns SQL statement, slight improvement on the code from 'rorezende at hotmail dot com'.  This version adds bool values correctly.It also checks to make sure there is actually a value in the array before including it in the sql statement. (ie: null values or empty strings won't be added to the sql statement)

<?PHP
function db_build_insert($table,$array)
{

$str = "insert into $table ";
$strn = "(";
$strv = " VALUES (";
   while(list($name,$value) = each($array)) {

       if(is_bool($value)) {
$strn .= "$name,";
$strv .= ($value ? "true":"false") . ",";
                continue;
        };

       if(is_string($value)) {
$strn .= "$name,";
$strv .= "'$value',";
                continue;
        }
       if (!is_null($value) and ($value != "")) {
$strn .= "$name,";
$strv .= "$value,";
                continue;
       }
   }
$strn[strlen($strn)-1] = ')';
$strv[strlen($strv)-1] = ')';
$str .= $strn . $strv;
   return $str;

}
?>

down

skippy at zuavra dot net ¶

20 years ago

Beware of the following: pg_insert() and pg_update() are adding slashes to all character-like fields they work with. This makes them SQL injection super-safe, but there are unwanted consequences, as follows:

If you have a regular setup with magic_quotes_gcp=On, and you use pg_insert() or pg_update(), you will end up with fields that look as if you used addslashes() twice. To solve this, you can use stripslashes() on the data just before using it with pg_insert() or pg_update().

There's another alternative, which seems better to me. Why make yourself crazy all over the code, adding slashes, stripping slashes, worrying whether magic_quotes_gpc is on or off and so on and so forth? Why do this, when the only place you actually need those slashes is right when you push the data into the database?

So why not get rid of your addslashes() and stripslashes() from all over your code, and turn magic_quotes_gcp off. As long as you always use pg_insert() and pg_update() to do your DB work, you're SQL-injection safe AND slash-headache free.

down

jsnell at e-normous dot com ¶

17 years ago

If you need schema support, this function will do something similar to pg_insert:

function pg_insert_with_schema($connection, $table, $updates) 
{
 $schema = 'public';
 if (strpos($table, '.') !== false)
    list($schema, $table) = explode('.', $table);

    if (count($updates) == 0) {
        $sql = "INSERT INTO $schema.\"$table\" DEFAULT VALUES";
            return pg_query($sql);
        } else {
 $sql = "INSERT INTO $schema.\"$table\" ";

 $sql .= '("';
 $sql .= join('", "', array_keys($updates));
 $sql .= '")';

 $sql .= ' values (';
 for($i = 0; $i < count($updates); $i++)
   $sql .= ($i != 0? ', ':'').'$'.($i+1);
 $sql .= ')';
 return pg_query_params($connection, $sql, array_values($updates));
 }
}

down

phpuser at ego dot gen dot nz ¶

13 years ago

This function cannot be used to insert a record with only default values - i.e. with an assoc_array of array()

down

Anonymous ¶

3 years ago

$Result = pg_query_params($db,'INSERT INTO table1 (a, b, c) VALUES ($1,$2,$3) RETURNING *', array('1','2','3');
$Row = pg_fetch_assoc($Result);
pg_insert($db, 'table2', $Row);

pg_insert fail silently if one or more fields on table2 have different names than on table1

down

mina86 at tlen dot pl ¶

20 years ago

Next version :) My version checks whether value is bool, null, string or numeric and if one of the values is not function returns false if not. null values are inserted as NULL, bool as true or false and strings are add-shlashed before adding to query string. Note, that this function is not safe. SQL injection is possible with column names if you use $_POST or something similar as a $array.

<?php
function db_build_insert($table, $array) {
  if (count($array)===0) return false;
$columns = array_keys($array);
$values = array_values($array);
  unset($array);

  for ($i = 0, $c = count($values); $i$c; ++$i) {
    if (is_bool($values[$i])) {
$values[$i] = $values[$i]?'true':'false';
    } elseif (is_null($values[$i])) {
$values[$i] = 'NULL';
    } elseif (is_string($values[$i])) {
$values[$i] = "'" . addslashes($values[$i]) . "'";
    } elseif (!is_numeric($values[$i])) {
      return false;
    }
  }

  return "INSERT INTO $table ($column_quote" . implode(', ', $columns) .
") VALUES (" . implode(', ', $values) . ")";
}
?>

down

-1

excalibur at nospam dot icehouse dot net ¶

18 years ago

Today at work I isolated a problem I was having with this function to how I was formatting the date.  I was assigning the date in my code as follows:

$today = date( "Ymd" ); // ISO 8601

This format is acceptable to PostgreSQL, as verified by their documentation and buy tests using psql.  However, to make it work in my code, I had to make the following change:

$today = date( "Y-m-d" ); // also ISO 8601 format

down

-3

rorezende at hotmail dot com ¶

21 years ago

Time is money, then I write a function similar to pg_insert in PHP (only output sql statement) :

   function db_mount_insert($table,$array) {

    $str = "insert into $table (";
    while(list($name,$value) = each($array)) {        
        $str .= "$name,";        
    }
    $str[strlen($str)-1] = ')';
    $str .= " values (";
    reset($array);
    while(list($name,$value) = each($array)) {        
        if(is_string($value))
            $str .= "'$value',";
        else
            $str .= "$value,";
    }
    $str[strlen($str)-1] = ')';
    $str .= ";"    ;

    return $str;

   }

down

-4

ANDYCHR17 at HOTMAIL dot COM ¶

18 years ago

Had a few issues while trying to run this in PHP 4.4.0:

- I could not get it to work with column names that are SQL reserved words (example: desc, order). I was forced to change the column names in order to use the function. I could not put the column names in quotes, because that caused pg_convert() to fail.

- Function was returning false until I passed the PGSQL_DML_EXEC option.