pg_insert

    (PHP 4 >= 4.3.0, PHP 5, PHP 7, PHP 8)

    pg_insert Inserta un array en una tabla

    Descripción

    pg_insert(
        PgSql\Connection $connection,
        string $table_name,
        array $values,
        int $flags = PGSQL_DML_EXEC
    ): PgSql\Result|string|bool

    pg_insert() inserta los values en la tabla table_name.

    Si flags está especificado, pg_convert() se aplica a values con los flags proporcionados.

    Por omisión, pg_insert() pasa valores sin tratar. Los valores deben ser escapados o el flag PGSQL_DML_ESCAPE debe ser especificado en flags. PGSQL_DML_ESCAPE coloca comillas y escapa los parámetros/identificadores. Por consiguiente, los nombres de tabla/columnas se vuelven sensibles a mayúsculas y minúsculas.

    Tenga en cuenta que ni el escape ni las consultas preparadas pueden proteger consultas LIKE, JSON, arrays, Regex, etc. Estos parámetros deben ser tratados de acuerdo con su contexto. Es decir, escapar/validar los valores.

    Parámetros

    connection

    An PgSql\Connection instance.

    table_name

    Nombre de la tabla en la que se insertarán las filas. La tabla table_name debe tener al menos tantas columnas como elementos tenga values.

    values

    Un array cuyas claves son los nombres de los campos en la tabla table_name, y cuyos valores son los valores de esos campos que serán insertados.

    flags

    Cualquier combinación de constantes entre PGSQL_CONV_OPTS, PGSQL_DML_NO_CONV, PGSQL_DML_ESCAPE, PGSQL_DML_EXEC, PGSQL_DML_ASYNC o PGSQL_DML_STRING. Si PGSQL_DML_STRING forma parte del parámetro flags, entonces la consulta será retornada. Cuando la constante PGSQL_DML_NO_CONV o la constante PGSQL_DML_ESCAPE está definida, no se realizará ninguna llamada a la función pg_convert() internamente.

    Valores devueltos

    Devuelve true en caso de éxito o false en caso de error.. O retorna un string si PGSQL_DML_STRING es proporcionado a través de flags.

    Errores/Excepciones

    Se lanza una ValueError cuando la tabla especificada es inválida.

    Se lanza una ValueError o TypeError cuando el valor o el tipo del campo no coincide correctamente con un tipo PostgreSQL.

    Historial de cambios

    Versión Descripción
    8.3.0 Ahora lanza un error ValueError cuando la tabla especificada es inválida; anteriormente, se emitía un E_WARNING.
    8.3.0 Ahora lanza un error ValueError o TypeError cuando el valor o el tipo del campo no coincide correctamente con un tipo PostgreSQL; anteriormente, se emitía un E_WARNING.
    8.1.0 Returns an PgSql\Result instance now; previously, a recurso was returned.
    8.1.0 The connection parameter expects an PgSql\Connection instance now; previously, a recurso was expected.

    Ejemplos

    Ejemplo #1 Ejemplo con pg_insert()

    <?php
    $db     = pg_connect ('dbname=foo');
    // Esto es seguro en cierta medida, ya que todos los valores son escapados
    // Sin embargo, PostgreSQL soporta JSON/arrays. Estos no son
    // seguros ni por escape ni por consultas preparadas.
    $res = pg_insert($dbconn, 'post_log', $_POST, PGSQL_DML_ESCAPE);
    if (    $res) {
    echo     "Los datos POSTeados han podido ser registrados con éxito.\n";
    } else {
    echo     "Hay un problema con los datos.\n";
    }
    ?>

    Ver también

    • pg_convert() - Conviertir valores de un array asociativo en valores adecuados para sentencias SQL

    Found A Problem?

    Learn How To Improve This PageSubmit a Pull RequestReport a Bug
    add a note

    User Contributed Notes 9 notes

    up
    6
    shane at treesandthings dot com
    21 years ago
    Returns SQL statement, slight improvement on the code from 'rorezende at hotmail dot com'. This version adds bool values correctly.It also checks to make sure there is actually a value in the array before including it in the sql statement. (ie: null values or empty strings won't be added to the sql statement)

    <?PHP
    function db_build_insert($table,$array)
    {

    $str = "insert into $table ";
    $strn = "(";
    $strv = " VALUES (";
    while(list(    $name,$value) = each($array)) {

    if(    is_bool($value)) {
    $strn .= "$name,";
    $strv .= ($value ? "true":"false") . ",";
    continue;
    };

    if(    is_string($value)) {
    $strn .= "$name,";
    $strv .= "'$value',";
    continue;
    }
    if (!    is_null($value) and ($value != "")) {
    $strn .= "$name,";
    $strv .= "$value,";
    continue;
    }
    }
    $strn[strlen($strn)-1] = ')';
    $strv[strlen($strv)-1] = ')';
    $str .= $strn . $strv;
    return     $str;

    }
    ?>
    up
    1
    skippy at zuavra dot net
    20 years ago
    Beware of the following: pg_insert() and pg_update() are adding slashes to all character-like fields they work with. This makes them SQL injection super-safe, but there are unwanted consequences, as follows:

    If you have a regular setup with magic_quotes_gcp=On, and you use pg_insert() or pg_update(), you will end up with fields that look as if you used addslashes() twice. To solve this, you can use stripslashes() on the data just before using it with pg_insert() or pg_update().

    There's another alternative, which seems better to me. Why make yourself crazy all over the code, adding slashes, stripping slashes, worrying whether magic_quotes_gpc is on or off and so on and so forth? Why do this, when the only place you actually need those slashes is right when you push the data into the database?

    So why not get rid of your addslashes() and stripslashes() from all over your code, and turn magic_quotes_gcp off. As long as you always use pg_insert() and pg_update() to do your DB work, you're SQL-injection safe AND slash-headache free.
    up
    1
    jsnell at e-normous dot com
    17 years ago
    If you need schema support, this function will do something similar to pg_insert:

    function pg_insert_with_schema($connection, $table, $updates)
    {
    $schema = 'public';
    if (strpos($table, '.') !== false)
    list($schema, $table) = explode('.', $table);

    if (count($updates) == 0) {
    $sql = "INSERT INTO $schema.\"$table\" DEFAULT VALUES";
    return pg_query($sql);
    } else {
    $sql = "INSERT INTO $schema.\"$table\" ";

    $sql .= '("';
    $sql .= join('", "', array_keys($updates));
    $sql .= '")';

    $sql .= ' values (';
    for($i = 0; $i < count($updates); $i++)
    $sql .= ($i != 0? ', ':'').'$'.($i+1);
    $sql .= ')';
    return pg_query_params($connection, $sql, array_values($updates));
    }
    }
    up
    1
    phpuser at ego dot gen dot nz
    13 years ago
    This function cannot be used to insert a record with only default values - i.e. with an assoc_array of array()
    up
    1
    Anonymous
    3 years ago
    $Result = pg_query_params($db,'INSERT INTO table1 (a, b, c) VALUES ($1,$2,$3) RETURNING *', array('1','2','3');
    $Row = pg_fetch_assoc($Result);
    pg_insert($db, 'table2', $Row);

    pg_insert fail silently if one or more fields on table2 have different names than on table1
    up
    0
    mina86 at tlen dot pl
    21 years ago
    Next version :) My version checks whether value is bool, null, string or numeric and if one of the values is not function returns false if not. null values are inserted as NULL, bool as true or false and strings are add-shlashed before adding to query string. Note, that this function is not safe. SQL injection is possible with column names if you use $_POST or something similar as a $array.

    <?php
    function db_build_insert($table, $array) {
    if (    count($array)===0) return false;
    $columns = array_keys($array);
    $values = array_values($array);
    unset(    $array);

    for (    $i = 0, $c = count($values); $i$c; ++$i) {
    if (    is_bool($values[$i])) {
    $values[$i] = $values[$i]?'true':'false';
    } elseif (    is_null($values[$i])) {
    $values[$i] = 'NULL';
    } elseif (    is_string($values[$i])) {
    $values[$i] = "'" . addslashes($values[$i]) . "'";
    } elseif (!    is_numeric($values[$i])) {
    return     false;
    }
    }

    return     "INSERT INTO $table ($column_quote" . implode(', ', $columns) .
    ") VALUES (" . implode(', ', $values) . ")";
    }
    ?>
    up
    -1
    excalibur at nospam dot icehouse dot net
    18 years ago
    Today at work I isolated a problem I was having with this function to how I was formatting the date. I was assigning the date in my code as follows:

    $today = date( "Ymd" ); // ISO 8601

    This format is acceptable to PostgreSQL, as verified by their documentation and buy tests using psql. However, to make it work in my code, I had to make the following change:

    $today = date( "Y-m-d" ); // also ISO 8601 format
    up
    -3
    rorezende at hotmail dot com
    21 years ago
    Time is money, then I write a function similar to pg_insert in PHP (only output sql statement) :

    function db_mount_insert($table,$array) {

    $str = "insert into $table (";
    while(list($name,$value) = each($array)) {
    $str .= "$name,";
    }
    $str[strlen($str)-1] = ')';
    $str .= " values (";
    reset($array);
    while(list($name,$value) = each($array)) {
    if(is_string($value))
    $str .= "'$value',";
    else
    $str .= "$value,";
    }
    $str[strlen($str)-1] = ')';
    $str .= ";" ;

    return $str;

    }
    up
    -4
    ANDYCHR17 at HOTMAIL dot COM
    19 years ago
    Had a few issues while trying to run this in PHP 4.4.0:

    - I could not get it to work with column names that are SQL reserved words (example: desc, order). I was forced to change the column names in order to use the function. I could not put the column names in quotes, because that caused pg_convert() to fail.

    - Function was returning false until I passed the PGSQL_DML_EXEC option.
    add a note
    To Top